[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
** No longer affects: subversion (Ubuntu Impish) ** Changed in: subversion (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1970228 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
Removing ubuntu-security-sponsors since there is no debdiff to sponsor. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1970228 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
Setting impish to Incomplete since there is no debdiff to sponsor at this stage. ** Changed in: subversion (Ubuntu Impish) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1970228 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
This bug was fixed in the package subversion - 1.14.1-3ubuntu0.22.04.1 --- subversion (1.14.1-3ubuntu0.22.04.1) jammy-security; urgency=medium * SECURITY UPDATE: CVE-2021-28544, CVE-2022-24070 (LP: #1970228) - debian/patches/CVE-2021-28544.patch, debian/patches/CVE-2022-24070.patch: New patches from upstream security advisories. -- Luís Infante da Câmara Sat, 21 May 2022 11:52:35 +0100 ** Changed in: subversion (Ubuntu Jammy) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1970228 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
This bug was fixed in the package subversion - 1.9.7-4ubuntu1.1 --- subversion (1.9.7-4ubuntu1.1) bionic-security; urgency=medium * SECURITY UPDATE: CVE-2018-11782, CVE-2019-0203, CVE-2020-17525 (LP: #1970228) - debian/patches/CVE-2018-11782.patch: New patch from upstream security advisory, that also fixes CVE-2019-0203. - debian/patches/handle_missing_file.patch: New patch from Subversion 1.10 needed to apply CVE-2020-17525.patch. - debian/patches/CVE-2020-17525.patch: New patch from upstream security advisory. - debian/patches/java10-compatibility: New patch from Debian buster to fix build failure with OpenJDK 11. -- Luís Infante da Câmara Sat, 21 May 2022 08:24:25 +0100 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1970228 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
This bug was fixed in the package subversion - 1.13.0-3ubuntu0.2 --- subversion (1.13.0-3ubuntu0.2) focal-security; urgency=medium * SECURITY UPDATE: Remote unauthenticated denial-of-service in Subversion mod_authz_svn (LP: #1970228) - debian/patches/CVE-2020-17525.patch: Check for NULL repos_root_dirent in subversion/libsvn_repos/config_file.c. - CVE-2020-17525 -- Luís Infante da Câmara Thu, 12 May 2022 21:47:08 +0100 ** Changed in: subversion (Ubuntu Focal) Status: New => Fix Released ** Changed in: subversion (Ubuntu Bionic) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1970228 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
Thanks for the updated patches - they look a lot better. Note, one thing we try and do is to add references to the patch files to indicate where they came from as per https://dep-team.pages.debian.net/deps/dep3/ - as an example see the update in http://launchpadlibrarian.net/596090586/subversion_1.14.1-3_1.14.1-3ubuntu0.1.diff.gz which shows these headers included in the new debian/patches/CVE- XXX.patch files which got added as part of that update. Including these also makes it a lot easier for reviewers to ensure that the changes are 'official' and match what the upstream. Also the debian/changelog entry is a bit terse compared to what we normally would do - as an example please see step 3 at https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging However, in this case as you have already put a lot of work into these, I am happy to go with them as they are (although I am replacing the patches with the ones with dep-3 headers from the impish update linked above so we can keep as much attribution etc as possible). I will sponsor these later today/tomorrow. Thanks again. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1970228 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
** Patch added: "subversion_jammy.debdiff" https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+attachment/5591776/+files/subversion_jammy.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1970228 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
** Patch added: "subversion_bionic.debdiff" https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+attachment/5591768/+files/subversion_bionic.debdiff ** Patch removed: "subversion_bionic.debdiff" https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+attachment/5589241/+files/subversion_bionic.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1970228 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
** Patch added: "subversion_focal.debdiff" https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+attachment/5591714/+files/subversion_focal.debdiff ** Patch removed: "subversion_focal.debdiff" https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+attachment/5589357/+files/subversion_focal.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1970228 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
Thanks for the debdiffs. I've reviewed them: - NACK on the bionic debdiff. Updating the version isn't acceptable for a security update. You can fix the FTBFS by using the java10-compatibility patch from buster. - NACK on the focal debdiff. It doesn't look like you added the patch to the series file, so it's not getting applied during the build. - NACK on the jammy debdiff. Please use targeted backported patches, and not a whole new upstream version. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1970228 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
** Also affects: subversion (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: subversion (Ubuntu Impish) Importance: Undecided Status: New ** Also affects: subversion (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: subversion (Ubuntu Jammy) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1970228 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
** Attachment added: "Upstream tarball for Jammy" https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+attachment/5589359/+files/subversion-1.14.2.tar.bz2 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1970228 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
** Patch added: "subversion_jammy.debdiff" https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+attachment/5589358/+files/subversion_jammy.debdiff ** Changed in: subversion (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1970228 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
** Patch added: "subversion_focal.debdiff" https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+attachment/5589357/+files/subversion_focal.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1970228 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-0203 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1970228 Title: Multiple vulnerabilities in Bionic, Focal, Impish and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-cve-tracker/+bug/1970228/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
** Summary changed: - Version in Jammy is vulnerable to CVE-2021-28544 and CVE-2022-24070 + Multiple vulnerabilities in Bionic, Focal and Jammy ** Description changed: + The versions in Bionic and Focal are vulnerable to CVE-2020-17525. + The version in Jammy is vulnerable to CVE-2021-28544 and CVE-2022-24070. Debian released a security advisory on April 13. The Ubuntu CVE Tracker mentions that these CVEs need triage for this distribution and package. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-17525 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11782 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1970228 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-cve-tracker/+bug/1970228/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs