Package: subversion Version: 1.5.1dfsg1-7 Severity: normal
Hi, I've just done "apt-get install subversion" with the intention of fixing the security issues reported in DSA 2251-1. Two issues: 1. The security issues are apparently in mod_dav_svn, which is part of the libapache2-svn package, not the subversion package. Installing a new subversion does not pull in a new libapache2-svn package because there is no dependency. libapache2-svn is not mentioned in the DSA. So a user who reads the DSA and does an "apt-get install subversion" will not resolve the security problem. Suggestions: (a) since a dependency is undesireable, maybe add a 'conflicts' with the insecure old version, or something of that sort; (b) mention the libapache2-svn package in the DSA. 2. Even after installing the new libapache2-svn, it appears that Apache continues to use the old version until it is restarted. Installing a new libapache2-svn package should either restart apache, or prompt the user to do so. These sorts of issues are minor for regular updates, but for security updates it's important that the user is not left with a false sense that they are safe, when they are not. Regards, Phil. -- System Information: Debian Release: 4.0 APT prefers oldstable APT policy: (500, 'oldstable'), (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.21-1-686 Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Versions of packages subversion depends on: ii libapr1 1.2.7-8.2 The Apache Portable Runtime Librar ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib ii libsasl2-2 2.1.22.dfsg1-8 Authentication abstraction library ii libsvn1 1.5.1dfsg1-7 Shared libraries used by Subversio subversion recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
