-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5119-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 13, 2022                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : subversion
CVE ID         : CVE-2021-28544 CVE-2022-24070

Several vulnerabilities were discovered in Subversion, a version control
system.

CVE-2021-28544

    Evgeny Kotkov reported that Subversion servers reveal 'copyfrom'
    paths that should be hidden according to configured path-based
    authorization (authz) rules.

CVE-2022-24070

    Thomas Weissschuh reported that Subversion's mod_dav_svn is prone to
    a use-after-free vulnerability when looking up path-based
    authorization rules, which can result in denial of service (crash of
    HTTPD worker handling the request).

For the oldstable distribution (buster), these problems have been fixed
in version 1.10.4-1+deb10u3.

For the stable distribution (bullseye), these problems have been fixed in
version 1.14.1-3+deb11u1.

We recommend that you upgrade your subversion packages.

For the detailed security status of subversion please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/subversion

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmJWT8RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0T5nA//cNwSe776flBf6n4X6Lo6zctM1q4ZNsY0dzr1lV9TpOOg4SlA/esb6gDa
9b/Ty+FwOg3T3vdw0HU2rqFTFimb6I+/gM3ly1XOvtqHXj6av4caDtAPk7wyNOdk
Pi4kzd2bISM6rZUqQDGFstMrNk5a+N7TajIT+7UAO7Ar85IDwvke269TsYxEZtka
gjUNRc7J2FXY9QHd47DnD2CK3CGix+t4tKGJVdeHx1zGb/73vSRki0RnwNpAbr2h
wvzj+W9Hx92Nh1GCNoYv3b7oyxjPBerI/v4QrYu2EnPYaV8oLW0JPc4JYf0YPQrR
R/RNhydAzOqFzy05rMCq9WZHwH++fBhJmWctA/LfOJYO+Lrj6HI17D4gPJraofcZ
Jjcb7j156fY7FGclrPDuavOe2GmcylxUmUiwu1eL6PYZ/QAcdbbaw8nf1V1f9cDj
tzTAAIKdRtsCtkC9WYSz/H5+UckJ8XYK3+nxRIblIsHHgk8ICOO5mWEIzEbqzGad
NKwysuNBSFqUQCLMADf0fZTxHts6DF8Sj3yjVaDfCrVqTY+Qk8yTl97dnAxflI3W
HX7ees+yLmHF46P7gskWy0YLSPXmqRkSagpA60AT+DekLpXL+pIBgFN+bgtndr4i
fNAhsxLlmPZ9EVzVbfHT5J3ULRXdi1vwHiXXjuJBKkwNLybCu60=
=Bytg
-----END PGP SIGNATURE-----