On Wed, Nov 1, 2023 at 9:44 PM Stanimir Stamenkov via users < users@subversion.apache.org> wrote:
> Wed, 1 Nov 2023 20:36:17 +0530, /JITHIN K/: > > > The Subversion version in my Ubuntu server is 1.13.0-3ubuntu0.2 and when > > I check the change log > > > https://changelogs.ubuntu.com/changelogs/pool/universe/s/subversion/subversion_1.13.0-3ubuntu0.2/changelog > > I could see that security update for CVE-2020-17525 included in the > > 1.13.0-3ubuntu0.2 but patches for other three were not included > > (CVE-2021-21298 ,CVE-2021-21297,CVE-2021-21296). Does that mean in the > > next Ubuntu 20.04.x release they include patches for these > vulnerabilities? > > Funny, I'm not seeing the latter three related to Subversion: > > * https://nvd.nist.gov/vuln/detail/CVE-2021-21298 (Node-Red) > * https://nvd.nist.gov/vuln/detail/CVE-2021-21297 (Node-Red) > * https://nvd.nist.gov/vuln/detail/CVE-2021-21296 (Fleet) > > > On Mon, Oct 30, 2023 at 9:32 AM JITHIN K wrote: > > > >> CVE-2020-17525: Denial of service vulnerability in mod_authz_svn > >> module. This vulnerability can be exploited by an attacker to cause > >> Apache Subversion to crash. > >> CVE-2021-21298: Insecure deserialization vulnerability in > >> libsvn_xml library. This vulnerability can be exploited by an > >> attacker to execute arbitrary code on the Subversion server. > >> CVE-2021-21297: Heap-based buffer overflow vulnerability in > >> libsvn_fs_x library. This vulnerability can be exploited by an > >> attacker to execute arbitrary code on the Subversion server. > >> CVE-2021-21296: Integer overflow vulnerability in libsvn_diff > >> library. This vulnerability can be exploited by an attacker to cause > >> Apache Subversion to crash. > -- > > Hi Stanimir, Apology. You are right the other three vulnerabilities are not related to Subversion. Thank you.
