Hi James, [Disclaimer I'm not a member of release team]
On Sat, Jan 04, 2025 at 08:10:30PM -0500, James McCoy wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: subvers...@packages.debian.org > Control: affects -1 + src:subversion > User: release.debian....@packages.debian.org > Usertags: pu > > [ Reason ] > CVE-2024-46901 was issued for subversion. Although it's marked no DSA, > it would be useful to provide the update to the stable release. > > https://security-tracker.debian.org/tracker/CVE-2024-46901 > > [ Impact ] > Malicious subversion clients can cause DoS of mod_dav_svn servers by > making commits which contain control characters in paths or revision > properties. > > [ Tests ] > A new test was added by upstream and included in the backport. I've > added a run of the upstream tests over the dav protocol into the package > so the test is exercised. > > [ Risks ] > The changes are relatively straight forward. Existing checks from the > fix for the previous CVE have been incorporated in other code paths to > ensure all relevant code paths are protecting against commits with > control characters. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > * Salsa CI config was added to the package. This was previously > configured in the repo, rather than as a file in the packaging. > * Additional test-specific Build-Depends (apache2-bin, apache2-utils, > net-tools, and wget) are added to run upstream's "make davautocheck" > (the target that runs all relevant tests using mod_dav_svn to access > the repository). > * debian/rules now runs "make davautocheck" in addition to the existing > "make check" (which uses file:// access to the repository). > * Upstream's fix and respective test are backported > > Full commit log is > https://salsa.debian.org/jamessan/subversion/-/compare/debian/1.14.2-4...debian/bookworm > > [ Other info ] > The fix was also included in 1.14.5, which is already in testing / > unstable. While verifying the patch and accompanying test for the > bookworm upload, I also discovered that I needed to run davautocheck to > exercise the mod_dav_svn path for interacting with the svn repository. > That is now enabled in sid via 1.14.5-2 and also in this upload. Given the window is closing very soon this weekend, if you see this in time, can you upload it if you are confident that it will be accepted as is by the SRM? The "improved workflow" allows to upload along with a release.d.o bug *iff* you are confident that the upload can be accepted (and so to reduce turnarounds). Regards, Salvatore
