-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear mentors and backporters,
I am looking for a sponsor for the new version 1.6.12dfsg-5~bpo50+1 of my existing backport of package "subversion". The new version addresses the following issues, please see also the attached BSA draft notice: CVE-2011-0715 Subversion's mod_dav_svn Apache HTTPD server module will dereference a NULL pointer if a lock token is sent in a HTTP request by a Subversion client which has not authenticated to the server. http://subversion.apache.org/security/CVE-2011-0715-advisory.txt It builds these binary packages: libapache2-svn - Subversion server modules for Apache libsvn-dev - Development files for Subversion libraries libsvn-doc - Developer documentation for libsvn libsvn-java - Java bindings for Subversion libsvn-perl - Perl bindings for Subversion libsvn-ruby - Ruby bindings for Subversion (dummy package) libsvn-ruby1.8 - Ruby bindings for Subversion libsvn1 - Shared libraries used by Subversion python-subversion - Python bindings for Subversion subversion - Advanced version control system subversion-tools - Assorted tools related to Subversion The source package and binaries packages for i386 can be found on ftp.elego.de: - - URL: ftp://ftp.elego.de/pub/packages/lenny-backports - - dget ftp://ftp.elego.de/pub/packages/lenny-backports/subversion_1.6.12dfsg-5~bpo50+1.dsc Also, the source package should eventually become available on mentors.debian.net: - - URL: http://mentors.debian.net/debian/pool/main/s/subversion - - Source repository: deb-src http://mentors.debian.net/debian unstable main contrib non-free - - dget http://mentors.debian.net/debian/pool/main/s/subversion/subversion_1.6.12dfsg-5~bpo50+1.dsc Version Control System: - - VCS: svn://svn.debian.org/pkg-subversion/src/lenny-backports-1.6.x/ - - VCS browser: http://svn.debian.org/wsvn/pkg-subversion/src/lenny-backports-1.6.x/ I would be glad if someone uploaded this package for me. Kind regards - -- Michael Diers, elego Software Solutions GmbH, http://www.elego.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1wHdYACgkQcEKlWnqVgz0i7wCgsM90mRCyMPw9xupTnEPLi4Gq qeUAoKpbDfTwhzDHYbHTVtkRyL4gkPp6 =Ym3w -----END PGP SIGNATURE-----
[ A BSA number request for this security update is pending with t...@backports.debian.org. Please replace XXX by the number that is eventually assigned. Also please replace the placeholder <Uploader> with your name. ] Subject: [BSA-XXX] Security Update for subversion <Uploader> uploaded new packages for subversion which fixed the following security problems: CVE-2011-0715 Subversion's mod_dav_svn Apache HTTPD server module will dereference a NULL pointer if a lock token is sent in a HTTP request by a Subversion client which has not authenticated to the server. http://subversion.apache.org/security/CVE-2011-0715-advisory.txt For the lenny-backports distribution the problems have been fixed in version 1.6.12dfsg-5~bpo50+1. For the stable distribution (squeeze) the problems have been fixed in version 1.6.12dfsg-5. For the unstable distribution (sid) the problems have been fixed in version 1.6.16dfsg-1. This version is expected to be migrated to the testing distribution (wheezy) shortly. If you don't use pinning (see [1]) you have to update the package manually via "apt-get -t lenny-backports install <packagelist>" with the packagelist of your installed packages affected by this update. [1] <http://backports.debian.org/Instructions> We recommend to pin (in /etc/apt/preferences) the backports repository to 200 so that new versions of installed backports will be installed automatically. Package: * Pin: release a=lenny-backports Pin-Priority: 200
