Hardy Backports

Please backport security fix for USN-812-1 in subversion 1.5

Bug #411849 reported by Arnd
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Hardy Backports
Fix Released
Undecided
Unassigned

Bug Description

Last week 1.5.1dfsg1-1ubuntu2.1 was rolled out in Ubuntu 8.10 intrepid fixing a security issue. (USN-812-1/CVE-2009-2411).
As the backport 1.5.1dfsg1-1ubuntu2~hardy2 is affected as well, it would be very nice to
backport the security fix.

Thanks,
Arnd

CVE References

Revision history for this message
Arnd (arnd-arndnet) wrote :

I copied the fix from intrepid and uploaded the resulting package to my PPA:
https://launchpad.net/~arnd-arndnet/+archive/ppa

visibility: private → public
Revision history for this message
Arnd (arnd-arndnet) wrote :

Add .debdiff which updates subversion_1.5.1dfsg1-1ubuntu2~hardy2 to subversion_1.5.1dfsg1-1ubuntu2.1~hardy and includes the security fix from subversion_1.5.1dfsg1-1ubuntu2.1 (intrepid)

Revision history for this message
Arnd (arnd-arndnet) wrote :

It's quite embarrassing that this is still not even confirmed.
Maybe the ubuntu backports process is somehow broken?
This is a known, easy to fix security bug. It's ridiculous that I had to report it in the first place.

Revision history for this message
Arnd (arnd-arndnet) wrote :

What should I do to get this fix uploaded to the ubuntu backports repositories?

Revision history for this message
Arnd (arnd-arndnet) wrote :

Ping?

Revision history for this message
mark (linuxmad) wrote :

I cannot believe this hasn't been fixed, makes me seriously re-think the idea of possibly moving to something like Ubuntu Server for production environment!

Revision history for this message
mark (linuxmad) wrote :

Mind you, it does say in the Ubuntu release notes that backports aren't going to have security fixes etc on them... So its one of those problems I suppose

Revision history for this message
Arnd (arnd-arndnet) wrote :

I understand that the ubuntu security team does not officially support backports.
But in this particular case, where the security fix was already done for the exact same packet in intrepid, I simply have problems to understand that noone takes a few secs to start a rebuild of the package.
Maybe, the backports repository should be renamed to something more adequate. I propose "backdoors"...

Revision history for this message
John Vivirito (gnomefreak) wrote : Re: [Bug 411849] Re: Please backport security fix for USN-812-1 in subversion 1.5

On 02/03/2010 05:18 AM, mark wrote:
> Mind you, it does say in the Ubuntu release notes that backports aren't
> going to have security fixes etc on them... So its one of those problems
> I suppose
>
 The fix will be pushed to *-security repo not backports if and
when its fixed

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

Revision history for this message
Arnd (arnd-arndnet) wrote :

Hi John,

John Vivirito wrote:
> On 02/03/2010 05:18 AM, mark wrote:
>
>> Mind you, it does say in the Ubuntu release notes that backports aren't
>> going to have security fixes etc on them... So its one of those problems
>> I suppose
>>
>>
> The fix will be pushed to *-security repo not backports if and
> when its fixed
>

as you seem more familiar with the backports / backports-security
process. What can I do to move this bug forward?

Best regards,
Arnd

Revision history for this message
John Vivirito (gnomefreak) wrote :

Subscribed Ubuntu Security Team to review the diff above

Revision history for this message
John Vivirito (gnomefreak) wrote :

On 02/03/2010 08:15 AM, Arnd wrote:
> Hi John,
>
> John Vivirito wrote:
>> On 02/03/2010 05:18 AM, mark wrote:
>>
>>> Mind you, it does say in the Ubuntu release notes that backports aren't
>>> going to have security fixes etc on them... So its one of those problems
>>> I suppose
>>>
>>>
>> The fix will be pushed to *-security repo not backports if and
>> when its fixed
>>
>
> as you seem more familiar with the backports / backports-security
> process. What can I do to move this bug forward?
>
> Best regards,
> Arnd
>
 Since you have diff on the bug. Is this still up to date?
other than that i subscribed the team to look at it

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

Revision history for this message
Arnd (arnd-arndnet) wrote :

Hi John,

John Vivirito wrote:
> Since you have diff on the bug. Is this still up to date?
> other than that i subscribed the team to look at i
 Yes bug is still valid.
Most recent version in the backports repos is
1.5.1dfsg1-1ubuntu2~hardy2
which is still vulnerable to the mentioned attack.

Best regards,
Arnd

Revision history for this message
John Vivirito (gnomefreak) wrote :

On 02/09/2010 05:15 PM, Arnd wrote:
> Hi John,
>
> John Vivirito wrote:
>> Since you have diff on the bug. Is this still up to date?
>> other than that i subscribed the team to look at i
> Yes bug is still valid.
> Most recent version in the backports repos is
> 1.5.1dfsg1-1ubuntu2~hardy2
> which is still vulnerable to the mentioned attack.
>
> Best regards,
> Arnd
>
 Ok thanks for the reply, someone should look at this and
decide what to do with it.

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

"How can i get lost, if i have no where to go"
    -- Metallica from Unforgiven III

Revision history for this message
Arnd (arnd-arndnet) wrote :

Ping?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

While the ubuntu-security team is (now) subscribed and aware of the issue, this is something the ubuntu-backports team must process.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I meant to also say that a debdiff should not be required-- it should be a matter of someone from the backports team processing the request (I've not reviewed this particular case though).

Revision history for this message
John Dong (jdong) wrote :

The patch http://launchpadlibrarian.net/30423782/subversion_1.5.1dfsg1-1ubuntu2.1~hardy1.debdiff posted by Arnd looks reasonable to me, and should be applied to hardy-backports. This will require a core-dev sponsor to upload. The -backports team ACKs the debdiff and apologizes for the ridiculously and unreasonably long delay in getting this out :(

Revision history for this message
John Dong (jdong) wrote :

Wow, clearly the coffee didn't kick in well this morning.... I can upload the debdiff. Doing so now!

John Dong (jdong)
Changed in hardy-backports:
status: New → Fix Committed
Revision history for this message
John Dong (jdong) wrote :

*groan* Looks like I'm not allowed to upload there anymore... Requesting core-dev sponsorship on said patch!

Changed in hardy-backports:
status: Fix Committed → In Progress
Revision history for this message
Arnd (arnd-arndnet) wrote :

Hi John,

thanks for taking some time to look into this.
Any progress so far?

Best regards,
Arnd

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

NAK. The debdiff drops the changes introduced in hardy1 and hardy2. Please update the debdiff and I'll review it.

Revision history for this message
Arnd (arnd-arndnet) wrote :

Hi,

Am 02.03.2010 17:08, wrote Jamie Strandboge:
> NAK. The debdiff drops the changes introduced in hardy1 and hardy2.
> Please update the debdiff and I'll review it.
>

I'm sorry, could you elaborate what change the debdiff drops?
Change of hardy1 to hardy2 was "switched libneon-gnutls-dev to libneon-dev"
the debdiff does not touch this change, does it?

Or does the debdiff need to include all changes against some other base
version and
not against subversion_1.5.1dfsg1-1ubuntu2~hardy2 ?

Or are you concerned about the version number?

I changed

1.5.1dfsg1-1ubuntu2~hardy2

to

1.5.1dfsg1-1ubuntu2.1~hardy1

Maybe it should be

1.5.1dfsg1-1ubuntu2.1~hardy2 instead?

Best regards,
Arnd

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Actually, it is my mistake. I was thinking that you were taking the package from intrepid and therefore lost the hardy changes, when in fact you were taking the hardy-backports version and applying the patch. I think since you did it this way you should use '1.5.1dfsg1-1ubuntu2~hardy3' instead. I'll adjust and upload. Sorry for the confusion.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded and building:

subversion (1.5.1dfsg1-1ubuntu2~hardy3) hardy-backports; urgency=low

  * Backported security fix from intrepid (LP: #411849)

Changed in hardy-backports:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.