Apache Subversion "mod_authz_svn" Denial of Service Vulnerability

What is the process for making Subversion 1.14.1 available to Ubuntu 20.04?

Subversion 1.14 is an LTS release which makes sense for Ubuntu 20.04.

Probably the change from Subversion 1.13 to 1.14 is larger than the stable-release-update team would be willing to work with. However, I can't speak for them; here's the wiki page describing the process for performing updates on packages after release: https://wiki.ubuntu.com/StableReleaseUpdates

I suggest having a conversation about it with the sru team before starting to work on it.

Thanks

Any progress or time estimation to fix this?
Thanks.

Is anyone working on this?

I suppose it would be listed here if anyone was working on it:
https://people.canonical.com/~ubuntu-archive/pending-sru.html

Debian has patched "sid" and "buster":
https://security-tracker.debian.org/tracker/CVE-2020-17525

Is it planned that someone work on it?
Sorry, but we need to ensure the security in our company.

I am in the same situation. We should probably try to understand the wiki page that Seth linked to but I have yet to find the time to understand all the Ubuntu-specifics.

Any updates?

Could you please tell a deadline for this update?

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

I am trying to build the package, but I meet this error:

$bzr builddeb -- -us -uc
...
dh_auto_configure: ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking returned exit code 1
debian/rules:18: recipe for target 'binary' failed
make: *** [binary] Error 2
dpkg-buildpackage: error: fakeroot debian/rules binary subprocess returned exit status 2
debuild: fatal error at line 1152:
dpkg-buildpackage -rfakeroot -us -uc -ui failed
bzr: ERROR: The build failed.

I followed:
https://packaging.ubuntu.com/html/packaging-new-software.html
https://packaging.ubuntu.com/html/debian-dir-overview.html
https://svn.apache.org/repos/asf/subversion/trunk/INSTALL
https://subversion.apache.org/source-code.html

In particular, I left the rules file as it is. Any ideas how to fix this?

If you're trying to bring latest release of subversion to Ubuntu, then you need to check the SRU page mentioned by Seth. The SRU has its own whole process and there will be a need for a good reason to have the SRU approved, it is not that simple.

Ubuntu is based on delivering a stable system to users, so we don't normally do version upgrades, instead we backport patches to fix security issues or bugs. This avoids bringing new features and dependencies that the package didn't have before and breaking systems.

If your concern is just regarding that security issue, CVE-2020-17525, then try to follow the steps that I've mentioned in comment #10.

Hope it helps :)

Debian already ships the new package version: https://packages.debian.org/testing/subversion
Can this help you?

If this is not sufficient, then it's not clear to me what I did wrong

Could someone provide an indication? Thanks.

any update?

hello??