It sounds like it is settled and you are all set. That said, let's pretend these vulnerabilities were real and not patched.
1. IMO, you can generally trust Debian/Ubuntu/Red Hat to make good decisions on backporting security fixes. If they didn't for some reason they probably had a reason why. 2. Worst case, you can file an issue with the distro to request the backport be made and then see what they say I just think you are better off using the packages from your distro than hunting around and installing your own binaries. That actually increases your likelihood of adding security vulnerabilities to your machine in the long term. Mark On Wed, Nov 1, 2023 at 12:20 PM JITHIN K <jithin...@gmail.com> wrote: > > > > On Wed, Nov 1, 2023 at 9:44 PM Stanimir Stamenkov via users > <users@subversion.apache.org> wrote: >> >> Wed, 1 Nov 2023 20:36:17 +0530, /JITHIN K/: >> >> > The Subversion version in my Ubuntu server is 1.13.0-3ubuntu0.2 and when >> > I check the change log >> > https://changelogs.ubuntu.com/changelogs/pool/universe/s/subversion/subversion_1.13.0-3ubuntu0.2/changelog >> > I could see that security update for CVE-2020-17525 included in the >> > 1.13.0-3ubuntu0.2 but patches for other three were not included >> > (CVE-2021-21298 ,CVE-2021-21297,CVE-2021-21296). Does that mean in the >> > next Ubuntu 20.04.x release they include patches for these vulnerabilities? >> >> Funny, I'm not seeing the latter three related to Subversion: >> >> * https://nvd.nist.gov/vuln/detail/CVE-2021-21298 (Node-Red) >> * https://nvd.nist.gov/vuln/detail/CVE-2021-21297 (Node-Red) >> * https://nvd.nist.gov/vuln/detail/CVE-2021-21296 (Fleet) >> >> > On Mon, Oct 30, 2023 at 9:32 AM JITHIN K wrote: >> > >> >> CVE-2020-17525: Denial of service vulnerability in mod_authz_svn >> >> module. This vulnerability can be exploited by an attacker to cause >> >> Apache Subversion to crash. >> >> CVE-2021-21298: Insecure deserialization vulnerability in >> >> libsvn_xml library. This vulnerability can be exploited by an >> >> attacker to execute arbitrary code on the Subversion server. >> >> CVE-2021-21297: Heap-based buffer overflow vulnerability in >> >> libsvn_fs_x library. This vulnerability can be exploited by an >> >> attacker to execute arbitrary code on the Subversion server. >> >> CVE-2021-21296: Integer overflow vulnerability in libsvn_diff >> >> library. This vulnerability can be exploited by an attacker to cause >> >> Apache Subversion to crash. >> -- >> > > Hi Stanimir, > > Apology. You are right the other three vulnerabilities are not related to > Subversion. > > Thank you. > >
