diff -u subversion-1.7.9/debian/changelog subversion-1.7.9/debian/changelog
--- subversion-1.7.9/debian/changelog
+++ subversion-1.7.9/debian/changelog
@@ -1,3 +1,13 @@
+subversion (1.7.9-1+nmu7) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix cve-2013-4131: out-of-bounds read in mod_dav_svn/repos.c
+    (closes: #717794).
+  * Fix cve-2013-4277: svnserve does not check if its pid file is a symlink
+    (closes: #721542).
+
+ -- Michael Gilbert <mgilbert@debian.org>  Mon, 14 Oct 2013 01:50:51 +0000
+
 subversion (1.7.9-1+nmu6) unstable; urgency=low
 
   * Add Breaks/Replaces: libapache2-svn to libapach2-mod-svn.
diff -u subversion-1.7.9/debian/patches/series subversion-1.7.9/debian/patches/series
--- subversion-1.7.9/debian/patches/series
+++ subversion-1.7.9/debian/patches/series
@@ -25,0 +26,2 @@
+cve-2013-4131.patch
+cve-2013-4277.patch
only in patch2:
unchanged:
--- subversion-1.7.9.orig/debian/patches/cve-2013-4131.patch
+++ subversion-1.7.9/debian/patches/cve-2013-4131.patch
@@ -0,0 +1,41 @@
+Index: subversion/mod_dav_svn/repos.c
+===================================================================
+--- a/subversion/mod_dav_svn/repos.c	(revision 1503527)
++++ b/subversion/mod_dav_svn/repos.c	(revision 1503528)
+@@ -2408,21 +2408,12 @@
+                 svn_boolean_t is_urlpath,
+                 apr_pool_t *pool)
+ {
+-  apr_size_t len;
+-  char *tmp = apr_pstrdup(pool, path);
+-
+-  len = strlen(tmp);
+-
+-  if (len > 0)
++  if (*path != '\0') /* not an empty string */
+     {
+-      /* Remove any trailing slash; else svn_path_dirname() asserts. */
+-      if (tmp[len-1] == '/')
+-        tmp[len-1] = '\0';
+-
+       if (is_urlpath)
+-        return svn_urlpath__dirname(tmp, pool);
++        return svn_urlpath__dirname(path, pool);
+       else
+-        return svn_fspath__dirname(tmp, pool);
++        return svn_fspath__dirname(path, pool);
+     }
+ 
+   return path;
+@@ -2458,7 +2449,9 @@
+       parent->versioned = 1;
+       parent->hooks = resource->hooks;
+       parent->pool = resource->pool;
+-      parent->uri = get_parent_path(resource->uri, TRUE, resource->pool);
++      parent->uri = get_parent_path(svn_urlpath__canonicalize(resource->uri,
++                                                              resource->pool),
++                                    TRUE, resource->pool);
+       parent->info = parentinfo;
+ 
+       parentinfo->uri_path =
+]]]
only in patch2:
unchanged:
--- subversion-1.7.9.orig/debian/patches/cve-2013-4277.patch
+++ subversion-1.7.9/debian/patches/cve-2013-4277.patch
@@ -0,0 +1,17 @@
+Index: subversion/svnserve/main.c
+===================================================================
+--- a/subversion/svnserve/main.c  (revision 1516311)
++++ b/subversion/svnserve/main.c  (working copy)
+@@ -403,8 +403,9 @@ static svn_error_t *write_pid_file(const char *fil
+   const char *contents = apr_psprintf(pool, "%" APR_PID_T_FMT "\n",
+                                              getpid());
+
++  SVN_ERR(svn_io_remove_file2(filename, TRUE, pool));
+   SVN_ERR(svn_io_file_open(&file, filename,
+-                           APR_WRITE | APR_CREATE | APR_TRUNCATE,
++                           APR_WRITE | APR_CREATE | APR_EXCL,
+                            APR_OS_DEFAULT, pool));
+   SVN_ERR(svn_io_file_write_full(file, contents, strlen(contents), NULL,
+                                  pool));
+]]]
+
