On 2011-06-01 21:58, Michael Diers wrote: > Dear mentors and backporters, > > I am looking for a sponsor for the new version 1.6.12dfsg-6~bpo50+1 > of my package "subversion". > > The new version addresses the following security issues: > > CVE-2011-1752 > Subversion's mod_dav_svn Apache HTTPD server module will dereference > a NULL pointer if asked to deliver baselined WebDAV resources. > > CVE-2011-1783 > Subversion's mod_dav_svn Apache HTTPD server module may in certain > scenarios enter a logic loop which does not exit and which allocates > memory in each iteration, ultimately exhausting all the available > memory on the server. > > CVE-2011-1921 > Subversion's mod_dav_svn Apache HTTPD server module may leak to > remote users the file contents of files configured to be unreadable > by those users. [...] Here's my draft of a Backports Security Announcement (also attached as BSA-037.txt): [ The BSA number below was obtained from team@backports.debian.org. Please replace the placeholder <Uploader> with your name. Please send this as a gpg inline signed mail to debian-backports-announce@lists.debian.org ] Subject: [BSA-037] Security Update for subversion <Uploader> uploaded new packages for subversion which fixed the following security problems: CVE-2011-1752 Subversion's mod_dav_svn Apache HTTPD server module will dereference a NULL pointer if asked to deliver baselined WebDAV resources. http://subversion.apache.org/security/CVE-2011-1752-advisory.txt CVE-2011-1783 Subversion's mod_dav_svn Apache HTTPD server module may in certain scenarios enter a logic loop which does not exit and which allocates memory in each iteration, ultimately exhausting all the available memory on the server. http://subversion.apache.org/security/CVE-2011-1783-advisory.txt CVE-2011-1921 Subversion's mod_dav_svn Apache HTTPD server module may leak to remote users the file contents of files configured to be unreadable by those users. http://subversion.apache.org/security/CVE-2011-1921-advisory.txt For the lenny-backports distribution the problems have been fixed in version 1.6.12dfsg-6~bpo50+1. For the stable distribution (squeeze) the problems have been fixed in version 1.6.12dfsg-6 [stable-sec]. If you don't use pinning (see [1]) you have to update the package manually via "apt-get -t lenny-backports install <packagelist>" with the packagelist of your installed packages affected by this update. [1] <http://backports.debian.org/Instructions> We recommend to pin (in /etc/apt/preferences) the backports repository to 200 so that new versions of installed backports will be installed automatically. Package: * Pin: release a=lenny-backports Pin-Priority: 200 -- Michael Diers, elego Software Solutions GmbH, http://www.elego.de
[ The BSA number below was obtained from team@backports.debian.org. Please replace the placeholder <Uploader> with your name. Please send this as a gpg inline signed mail to debian-backports-announce@lists.debian.org ] Subject: [BSA-037] Security Update for subversion <Uploader> uploaded new packages for subversion which fixed the following security problems: CVE-2011-1752 Subversion's mod_dav_svn Apache HTTPD server module will dereference a NULL pointer if asked to deliver baselined WebDAV resources. http://subversion.apache.org/security/CVE-2011-1752-advisory.txt CVE-2011-1783 Subversion's mod_dav_svn Apache HTTPD server module may in certain scenarios enter a logic loop which does not exit and which allocates memory in each iteration, ultimately exhausting all the available memory on the server. http://subversion.apache.org/security/CVE-2011-1783-advisory.txt CVE-2011-1921 Subversion's mod_dav_svn Apache HTTPD server module may leak to remote users the file contents of files configured to be unreadable by those users. http://subversion.apache.org/security/CVE-2011-1921-advisory.txt For the lenny-backports distribution the problems have been fixed in version 1.6.12dfsg-6~bpo50+1. For the stable distribution (squeeze) the problems have been fixed in version 1.6.12dfsg-6 [stable-sec]. If you don't use pinning (see [1]) you have to update the package manually via "apt-get -t lenny-backports install <packagelist>" with the packagelist of your installed packages affected by this update. [1] <http://backports.debian.org/Instructions> We recommend to pin (in /etc/apt/preferences) the backports repository to 200 so that new versions of installed backports will be installed automatically. Package: * Pin: release a=lenny-backports Pin-Priority: 200
Attachment:
signature.asc
Description: OpenPGP digital signature