Generally speaking, you do not need to worry about this when using a supported distro like Ubuntu. While they do not update to new versions of a package like Subversion, they do their own backporting of security and other important fixes to the version in their distro. So the 1.13 that is in Ubuntu is not exactly equivalent to Subversion 1.13. It is really 1.13 + all fixes that Ubuntu thinks they should backport. You can see the changelog here and these fixes have all been backported:
http://changelogs.ubuntu.com/changelogs/pool/universe/s/subversion/subversion_1.13.0-3ubuntu0.2/changelog This is true across ALL the packages that the distro provides. It is not that I do not think upgrading to 1.14 has some value, it is that in general I do not recommend fighting against your distro. Use the packages they provide and support. The distro is your real source of support, not all the OSS projects that are packaged into it. Mark On Mon, Oct 30, 2023 at 9:32 AM JITHIN K <jithin...@gmail.com> wrote: > > > On Thu, Oct 26, 2023 at 7:36 PM Mark Phippard <markp...@gmail.com> wrote: >> >> On Thu, Oct 26, 2023 at 9:59 AM Nathan Hartman <hartman.nat...@gmail.com> >> wrote: >> >> >> >> -------- Forwarded Message -------- >> > >> > (snip headers) >> >> >> >> >> >> Hello Users Community, >> >> >> >> Hope you are doing great. >> >> I have installed Apache Subversion 1.13 in Ubuntu 20.04.5 using apt-get ( >> >> From Ubuntu package ) and also installed libapache2-mod-svn. >> >> I do not have any plan to upgrade the OS to Ubuntu 22.04. I am looking if >> >> I >> >> use apt-get upgrade subversion will automatically upgrade Subversion to >> >> 1.14 and also upgrade the library. >> > >> > >> > >> > Not by default (however see below): Generally, once a Ubuntu release line >> > like 20.04.x is made, software in the Ubuntu package repositories will get >> > only bug fixes and security fixes, not new features. This means that the >> > Subversion packages will remain at 1.13.x for Ubuntu 20.04.x when using >> > the default package repositories. >> > >> > However, it is likely that Ubuntu's backports repositories have the newer >> > Subversion 1.14.x releases. The backports repositories are the preferred >> > way to install newer releases of software packages on older releases of >> > Ubuntu. >> >> I would add that I do not believe there are compelling reasons to >> upgrade from 1.13 to 1.14 if your distro hasn't. I would recommend >> sticking with what your distro is providing unless there is some >> highly compelling reason to install your own package. This is >> especially true on a server. >> >> If you really have a need for 1.14, I would upgrade your entire distro >> to a version that provides it. >> >> Mark > > > > > > Hello Mark, > > > > As per my understanding, Subversion 1.13 is no longer supported and no > security patches have been released for the following items in Subversion > 1.13. > > > > CVE-2020-17525: Denial of service vulnerability in mod_authz_svn module. This > vulnerability can be exploited by an attacker to cause Apache Subversion to > crash. > CVE-2021-21298: Insecure deserialization vulnerability in libsvn_xml library. > This vulnerability can be exploited by an attacker to execute arbitrary code > on the Subversion server. > CVE-2021-21297: Heap-based buffer overflow vulnerability in libsvn_fs_x > library. This vulnerability can be exploited by an attacker to execute > arbitrary code on the Subversion server. > CVE-2021-21296: Integer overflow vulnerability in libsvn_diff library. This > vulnerability can be exploited by an attacker to cause Apache Subversion to > crash. > > This is the reason why I am looking for an upgrade to Subversion 1.14.5 > > > Thank you. > >
