Thanks for the advice. On Wed, 1 Nov, 2023, 10:52 pm Mark Phippard, <markp...@gmail.com> wrote:
> It sounds like it is settled and you are all set. > > That said, let's pretend these vulnerabilities were real and not patched. > > 1. IMO, you can generally trust Debian/Ubuntu/Red Hat to make good > decisions on backporting security fixes. If they didn't for some > reason they probably had a reason why. > 2. Worst case, you can file an issue with the distro to request the > backport be made and then see what they say > > I just think you are better off using the packages from your distro > than hunting around and installing your own binaries. That actually > increases your likelihood of adding security vulnerabilities to your > machine in the long term. > > Mark > > On Wed, Nov 1, 2023 at 12:20 PM JITHIN K <jithin...@gmail.com> wrote: > > > > > > > > On Wed, Nov 1, 2023 at 9:44 PM Stanimir Stamenkov via users < > users@subversion.apache.org> wrote: > >> > >> Wed, 1 Nov 2023 20:36:17 +0530, /JITHIN K/: > >> > >> > The Subversion version in my Ubuntu server is 1.13.0-3ubuntu0.2 and > when > >> > I check the change log > >> > > https://changelogs.ubuntu.com/changelogs/pool/universe/s/subversion/subversion_1.13.0-3ubuntu0.2/changelog > >> > I could see that security update for CVE-2020-17525 included in the > >> > 1.13.0-3ubuntu0.2 but patches for other three were not included > >> > (CVE-2021-21298 ,CVE-2021-21297,CVE-2021-21296). Does that mean in the > >> > next Ubuntu 20.04.x release they include patches for these > vulnerabilities? > >> > >> Funny, I'm not seeing the latter three related to Subversion: > >> > >> * https://nvd.nist.gov/vuln/detail/CVE-2021-21298 (Node-Red) > >> * https://nvd.nist.gov/vuln/detail/CVE-2021-21297 (Node-Red) > >> * https://nvd.nist.gov/vuln/detail/CVE-2021-21296 (Fleet) > >> > >> > On Mon, Oct 30, 2023 at 9:32 AM JITHIN K wrote: > >> > > >> >> CVE-2020-17525: Denial of service vulnerability in mod_authz_svn > >> >> module. This vulnerability can be exploited by an attacker to cause > >> >> Apache Subversion to crash. > >> >> CVE-2021-21298: Insecure deserialization vulnerability in > >> >> libsvn_xml library. This vulnerability can be exploited by an > >> >> attacker to execute arbitrary code on the Subversion server. > >> >> CVE-2021-21297: Heap-based buffer overflow vulnerability in > >> >> libsvn_fs_x library. This vulnerability can be exploited by an > >> >> attacker to execute arbitrary code on the Subversion server. > >> >> CVE-2021-21296: Integer overflow vulnerability in libsvn_diff > >> >> library. This vulnerability can be exploited by an attacker to cause > >> >> Apache Subversion to crash. > >> -- > >> > > > > Hi Stanimir, > > > > Apology. You are right the other three vulnerabilities are not related > to Subversion. > > > > Thank you. > > > > >