[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy

[Seth Arnold]

** No longer affects: subversion (Ubuntu Impish)

** Changed in: subversion (Ubuntu)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1970228

Title:
  Multiple vulnerabilities in Bionic, Focal and Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy

[Alex Murray]

Removing ubuntu-security-sponsors since there is no debdiff to sponsor.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1970228

Title:
  Multiple vulnerabilities in Bionic, Focal and Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy

[Alex Murray]

Setting impish to Incomplete since there is no debdiff to sponsor at
this stage.

** Changed in: subversion (Ubuntu Impish)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1970228

Title:
  Multiple vulnerabilities in Bionic, Focal and Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy

[Launchpad Bug Tracker]

This bug was fixed in the package subversion - 1.14.1-3ubuntu0.22.04.1

---
subversion (1.14.1-3ubuntu0.22.04.1) jammy-security; urgency=medium

  * SECURITY UPDATE: CVE-2021-28544, CVE-2022-24070 (LP: #1970228)
- debian/patches/CVE-2021-28544.patch, debian/patches/CVE-2022-24070.patch:
  New patches from upstream security advisories.

 -- Luís Infante da Câmara 
Sat, 21 May 2022 11:52:35 +0100

** Changed in: subversion (Ubuntu Jammy)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1970228

Title:
  Multiple vulnerabilities in Bionic, Focal and Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy

[Launchpad Bug Tracker]

This bug was fixed in the package subversion - 1.9.7-4ubuntu1.1

---
subversion (1.9.7-4ubuntu1.1) bionic-security; urgency=medium

  * SECURITY UPDATE: CVE-2018-11782, CVE-2019-0203, CVE-2020-17525 (LP: 
#1970228)
- debian/patches/CVE-2018-11782.patch: New patch from upstream security
  advisory, that also fixes CVE-2019-0203.
- debian/patches/handle_missing_file.patch: New patch from Subversion 1.10
  needed to apply CVE-2020-17525.patch.
- debian/patches/CVE-2020-17525.patch: New patch from upstream security
  advisory.
- debian/patches/java10-compatibility: New patch from Debian buster to fix
  build failure with OpenJDK 11.

 -- Luís Infante da Câmara 
Sat, 21 May 2022 08:24:25 +0100

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1970228

Title:
  Multiple vulnerabilities in Bionic, Focal and Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy

[Launchpad Bug Tracker]

This bug was fixed in the package subversion - 1.13.0-3ubuntu0.2

---
subversion (1.13.0-3ubuntu0.2) focal-security; urgency=medium

  * SECURITY UPDATE: Remote unauthenticated denial-of-service in Subversion
mod_authz_svn (LP: #1970228)
- debian/patches/CVE-2020-17525.patch: Check for NULL repos_root_dirent in
  subversion/libsvn_repos/config_file.c.
- CVE-2020-17525

 -- Luís Infante da Câmara 
Thu, 12 May 2022 21:47:08 +0100

** Changed in: subversion (Ubuntu Focal)
   Status: New => Fix Released

** Changed in: subversion (Ubuntu Bionic)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1970228

Title:
  Multiple vulnerabilities in Bionic, Focal and Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy

[Alex Murray]

Thanks for the updated patches - they look a lot better. Note, one thing
we try and do is to add references to the patch files to indicate where
they came from as per https://dep-team.pages.debian.net/deps/dep3/ - as
an example see the update in
http://launchpadlibrarian.net/596090586/subversion_1.14.1-3_1.14.1-3ubuntu0.1.diff.gz
which shows these headers included in the new debian/patches/CVE-
XXX.patch files which got added as part of that update.

Including these also makes it a lot easier for reviewers to ensure that
the changes are 'official' and match what the upstream.

Also the debian/changelog entry is a bit terse compared to what we
normally would do - as an example please see step 3 at
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

However, in this case as you have already put a lot of work into these,
I am happy to go with them as they are (although I am replacing the
patches with the ones with dep-3 headers from the impish update linked
above so we can keep as much attribution etc as possible). I will
sponsor these later today/tomorrow.

Thanks again.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1970228

Title:
  Multiple vulnerabilities in Bionic, Focal and Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy

[Luís Cunha dos Reis Infante da Câmara]

** Patch added: "subversion_jammy.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+attachment/5591776/+files/subversion_jammy.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1970228

Title:
  Multiple vulnerabilities in Bionic, Focal and Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy

[Luís Cunha dos Reis Infante da Câmara]

** Patch added: "subversion_bionic.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+attachment/5591768/+files/subversion_bionic.debdiff

** Patch removed: "subversion_bionic.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+attachment/5589241/+files/subversion_bionic.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1970228

Title:
  Multiple vulnerabilities in Bionic, Focal and Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy

[Luís Cunha dos Reis Infante da Câmara]

** Patch added: "subversion_focal.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+attachment/5591714/+files/subversion_focal.debdiff

** Patch removed: "subversion_focal.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+attachment/5589357/+files/subversion_focal.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1970228

Title:
  Multiple vulnerabilities in Bionic, Focal and Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy

[Marc Deslauriers]

Thanks for the debdiffs. I've reviewed them:

- NACK on the bionic debdiff. Updating the version isn't acceptable for a 
security update. You can fix the FTBFS by using the java10-compatibility patch 
from buster.
- NACK on the focal debdiff. It doesn't look like you added the patch to the 
series file, so it's not getting applied during the build.
- NACK on the jammy debdiff. Please use targeted backported patches, and not a 
whole new upstream version.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1970228

Title:
  Multiple vulnerabilities in Bionic, Focal and Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy

[Marc Deslauriers]

** Also affects: subversion (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: subversion (Ubuntu Impish)
   Importance: Undecided
   Status: New

** Also affects: subversion (Ubuntu Focal)
   Importance: Undecided
   Status: New

** Also affects: subversion (Ubuntu Jammy)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1970228

Title:
  Multiple vulnerabilities in Bionic, Focal and Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy

[Luís Cunha dos Reis Infante da Câmara]

** Attachment added: "Upstream tarball for Jammy"
   
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+attachment/5589359/+files/subversion-1.14.2.tar.bz2

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1970228

Title:
  Multiple vulnerabilities in Bionic, Focal and Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy

[Luís Cunha dos Reis Infante da Câmara]

** Patch added: "subversion_jammy.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+attachment/5589358/+files/subversion_jammy.debdiff

** Changed in: subversion (Ubuntu)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1970228

Title:
  Multiple vulnerabilities in Bionic, Focal and Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy

[Luís Cunha dos Reis Infante da Câmara]

** Patch added: "subversion_focal.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+attachment/5589357/+files/subversion_focal.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1970228

Title:
  Multiple vulnerabilities in Bionic, Focal and Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/1970228/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy

[Luís Cunha dos Reis Infante da Câmara]

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-0203

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1970228

Title:
  Multiple vulnerabilities in Bionic, Focal, Impish and Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cve-tracker/+bug/1970228/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1970228] Re: Multiple vulnerabilities in Bionic, Focal and Jammy

[Luís Cunha dos Reis Infante da Câmara]

** Summary changed:

- Version in Jammy is vulnerable to CVE-2021-28544 and CVE-2022-24070
+ Multiple vulnerabilities in Bionic, Focal and Jammy

** Description changed:

+ The versions in Bionic and Focal are vulnerable to CVE-2020-17525.
+ 
  The version in Jammy is vulnerable to CVE-2021-28544 and CVE-2022-24070.
  
  Debian released a security advisory on April 13.
  
  The Ubuntu CVE Tracker mentions that these CVEs need triage for this
  distribution and package.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-17525

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11782

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1970228

Title:
  Multiple vulnerabilities in Bionic, Focal and Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cve-tracker/+bug/1970228/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs