Hello Mark, Thank you and appreciate your email. The Subversion version in my Ubuntu server is 1.13.0-3ubuntu0.2 and when I check the change log https://changelogs.ubuntu.com/changelogs/pool/universe/s/subversion/subversion_1.13.0-3ubuntu0.2/changelog I could see that security update for CVE-2020-17525 included in the 1.13.0-3ubuntu0.2 but patches for other three were not included (CVE-2021-21298 , CVE-2021-21297,CVE-2021-21296). Does that mean in the next Ubuntu 20.04.x release they include patches for these vulnerabilities?
Thanks. Regards Jithin On Mon, Oct 30, 2023 at 7:23 PM Mark Phippard <markp...@gmail.com> wrote: > Generally speaking, you do not need to worry about this when using a > supported distro like Ubuntu. While they do not update to new versions > of a package like Subversion, they do their own backporting of > security and other important fixes to the version in their distro. So > the 1.13 that is in Ubuntu is not exactly equivalent to Subversion > 1.13. It is really 1.13 + all fixes that Ubuntu thinks they should > backport. You can see the changelog here and these fixes have all > been backported: > > > http://changelogs.ubuntu.com/changelogs/pool/universe/s/subversion/subversion_1.13.0-3ubuntu0.2/changelog > > This is true across ALL the packages that the distro provides. > > It is not that I do not think upgrading to 1.14 has some value, it is > that in general I do not recommend fighting against your distro. Use > the packages they provide and support. The distro is your real source > of support, not all the OSS projects that are packaged into it. > > Mark > > > > On Mon, Oct 30, 2023 at 9:32 AM JITHIN K <jithin...@gmail.com> wrote: > > > > > > On Thu, Oct 26, 2023 at 7:36 PM Mark Phippard <markp...@gmail.com> > wrote: > >> > >> On Thu, Oct 26, 2023 at 9:59 AM Nathan Hartman < > hartman.nat...@gmail.com> wrote: > >> >> > >> >> -------- Forwarded Message -------- > >> > > >> > (snip headers) > >> >> > >> >> > >> >> Hello Users Community, > >> >> > >> >> Hope you are doing great. > >> >> I have installed Apache Subversion 1.13 in Ubuntu 20.04.5 using > apt-get ( > >> >> From Ubuntu package ) and also installed libapache2-mod-svn. > >> >> I do not have any plan to upgrade the OS to Ubuntu 22.04. I am > looking if I > >> >> use apt-get upgrade subversion will automatically upgrade Subversion > to > >> >> 1.14 and also upgrade the library. > >> > > >> > > >> > > >> > Not by default (however see below): Generally, once a Ubuntu release > line like 20.04.x is made, software in the Ubuntu package repositories will > get only bug fixes and security fixes, not new features. This means that > the Subversion packages will remain at 1.13.x for Ubuntu 20.04.x when using > the default package repositories. > >> > > >> > However, it is likely that Ubuntu's backports repositories have the > newer Subversion 1.14.x releases. The backports repositories are the > preferred way to install newer releases of software packages on older > releases of Ubuntu. > >> > >> I would add that I do not believe there are compelling reasons to > >> upgrade from 1.13 to 1.14 if your distro hasn't. I would recommend > >> sticking with what your distro is providing unless there is some > >> highly compelling reason to install your own package. This is > >> especially true on a server. > >> > >> If you really have a need for 1.14, I would upgrade your entire distro > >> to a version that provides it. > >> > >> Mark > > > > > > > > > > > > Hello Mark, > > > > > > > > As per my understanding, Subversion 1.13 is no longer supported and no > security patches have been released for the following items in Subversion > 1.13. > > > > > > > > CVE-2020-17525: Denial of service vulnerability in mod_authz_svn module. > This vulnerability can be exploited by an attacker to cause Apache > Subversion to crash. > > CVE-2021-21298: Insecure deserialization vulnerability in libsvn_xml > library. This vulnerability can be exploited by an attacker to execute > arbitrary code on the Subversion server. > > CVE-2021-21297: Heap-based buffer overflow vulnerability in libsvn_fs_x > library. This vulnerability can be exploited by an attacker to execute > arbitrary code on the Subversion server. > > CVE-2021-21296: Integer overflow vulnerability in libsvn_diff library. > This vulnerability can be exploited by an attacker to cause Apache > Subversion to crash. > > > > This is the reason why I am looking for an upgrade to Subversion 1.14.5 > > > > > > Thank you. > > > > >
