Re: [SECURITY] [DLA 448-1] subversion security update

To: debian-lts@lists.debian.org
Subject: Re: [SECURITY] [DLA 448-1] subversion security update
From: Bjoern Nyjorden <brn@iinet.net.au>
Date: Sun, 1 May 2016 16:04:21 +0800
Message-id: <[🔎] 5725B885.9040609@iinet.net.au>
In-reply-to: <20160501022652.GA2998@freya.jamessan.com>
References: <20160501022652.GA2998@freya.jamessan.com>

Hi there;

As at: 20160501-0735 +0000 (UTC): Updated packages DO NOT APPEAR at theAustralian Mirror (IP: 150.203.164.61) of:


http://security.debian.org/debian-security/pool/updates/main/s/subversion/

Can someone please ensure that the updated packages are pushed out tothe Australian Mirror at the earliest opportunity.


Yours sincerely,
Bjoern.

On 01/05/16 10:26, James McCoy wrote:

Package        : subversion
Version        : 1.6.17dfsg-4+deb7u11
CVE ID         : CVE-2016-2167 CVE-2016-2168

CVE-2016-2167

     svnserve, the svn:// protocol server, can optionally use the Cyrus
     SASL library for authentication, integrity protection, and encryption.
     Due to a programming oversight, authentication against Cyrus SASL
     would permit the remote user to specify a realm string which is
     a prefix of the expected realm string.


CVE-2016-2168

     Subversion's httpd servers are vulnerable to a remotely triggerable crash
     in the mod_authz_svn module.  The crash can occur during an authorization
     check for a COPY or MOVE request with a specially crafted header value.

     This allows remote attackers to cause a denial of service.

Reply to:

Follow-Ups:
- Re: [SECURITY] [DLA 448-1] subversion security update
  - From: Peter Palfrader <weasel@debian.org>

Next by Date: Re: [SECURITY] [DLA 447-1] mysql-5.5 security update
Next by thread: Re: [SECURITY] [DLA 448-1] subversion security update
Index(es):
- Date
- Thread