© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Dear release team,
This bug has been pending sponsorship since before FeatureFreeze. The current upstream version of Subversion in Karmic is 1.6.1, fairly early on in the lifetime of the 1.6.x series. This merge would see it brounght up to 1.6.5, incorporating many upstream bugfixes and at least one upstream security fix. I think it would ultimately more useful and more maintainable to see Karmic released with a newer upstream version rather than putting work into backporting the security fix and whatever handful of bugfixes are problematic enough to be bothered with.
Obviously this needs to happed sooner rather than later, since it's a fairly big change, but as we're currently only hours after FeatureFreeze I hope this exception can be considered reasonable.
I am including the relevant upstream change summary:
Version 1.6.5
(21 Aug 2009, from /branches/1.6.x)
http://
User-visible changes:
* fix mod_dav_svn directory view links to preserve peg revisions (r38021)
* do not error on Windows when ALLUSERPROFILE dir nonexistent (r38053, -5, -7)
* properly escape lock comments over ra_neon (r38101, -2)
* allow syncing copies of '/' over ra_neon and ra_serf (issue #3438)
* make 'svnlook diff' show empty added or deleted files (r38458)
* fix building with Apache 2.4 (r36720)
* fix possible data loss on ext4 and GPFS filesystems (issue #3442)
* resolve symlinks when checking for ~/.subversion (r36023)
* don't let svn+ssh SIGKILL ssh processes (issue #2580)
* allow PLAIN and LOGIN mechanisms with SASL in svnserve (r38205)
* fix peg revision parsing in filenames like '<email address hidden>' (issue #3416)
* fix detection of Apache <2.0.56 (r38290, -3, -4)
* don't pretend to do tree conflict resolution (r38799, -801, -805)
* fix data corruption when syncing from svnserve to mod_dav_svn (r38686, -7)
* fix GNOME Keyring with '--non-interactive' option (r38222, -3, -61, -410)
* fixed: false "File '...' already exists" error during commit (issue #3119)
Developer-visible changes:
* avoid referencing uninitialized variables (r38388)
* plug a couple of error leaks (r38572)
* improve windows test output (r38616, -7, -9, -49)
Version 1.6.4
(06 Aug 2009, from /branches/1.6.x)
http://
User-visible changes:
* fixed: heap overflow vulnerability on server and client
See CVE-2009-2411, and descriptive advisory at
http://
Version 1.6.3
(22 Jun 2009, from /branches/1.6.x)
http://
User-visible changes:
* fix segfault in WC->URL copy (r37646, -56)
* let 'svnadmin load' tolerate mergeinfo with "\r\n" (r37768)
* make svnsync normalize svn:* props to LF line endings (issue #3404)
* better integration with external merge tools (r36178)
* return a friendly error message for 'svn diff' (r37735)
* update dsvn.el for 1.6 (r37774)
* don't allow setting of props on out-of-date dirs under neon (r37745)
* improve BASH completion (r36450, -52, -70, -79, -538)
* always show tree conflicts with 'svn st' (issue #3382)
* improve correctness of 'svn mergeinfo' (issue #3126)
* decrease the amount of memory needed for large commits (r37894, -6)
* work around an APR buffer overflow seen by svnsync (r37622)
* ra_svn clients now use TCP keep-alives if available (issue #3347)
* improve 'svn merge' perf by reducing server contact (r37491, -593, -618)
* stop propagating self-referential mergeinfo in reintegrate merges (r37931)
* fix NLS detection where -liconv is required for bindtextdomain() (r37827)
* don't delete unversioned files with 'rm --keep-local' (r38015, -17, -19)
* bump apr and apr-util versions included in deps to latest. (r37941)
* avoid temp file name collisions with ra_serf, ra_neon (r37972)
* fixed: potential segfault with noop file merges (r37779)
* fixed: incorrect output with 'svn blame -g' (r37719, -23, -41)
* fixed: bindings don't load FS libs when module search enabled (issue #3413)
* fixed: DAV RA layers not properly handling update/switch working copy
directory to revision/place in which it doesn't exist (issue #3414)
* fixed: potential abort() in the working copy library (r37857)
* fixed: memory leak in hash reading functions (r37868, -979)
Developer-visible changes:
* improve memory usage in file-to-stringbuf APIs (r37907)
* reduce memory usage for temp string manipulation (r38010)
Version 1.6.2
(11 May 2009, from /branches/1.6.x)
http://
User-visible changes:
* vastly improve memory usage with 'svn merge' (issue #3393)
* make default depth for merge 'infinity' (r37156)
* make 'status --quiet' show tree conflicts (issue #3396)
* allow '--set-depth infinity' to expand shallow subtrees (r37169)
* return an error if attempting to reintegrate from/to the repo root (r37385)
* don't store bogus mergeinfo for '--ignore-
* don't allow merge of difference between two repos (r37519)
* avoid potential segfault with subtree mergeinfo (r36613, -15, -31, -41)
* recommend sqlite 3.6.13 (r37245)
* avoid unnecessary server query for implicit mergeinfo (r36509)
* avoid unnecessary server query during reverse merges (r36527)
* set depth=infinity on 'svn add' items with restricted depth (r37607)
* fixed: commit log message template missing paths (issue #3399)
* fixed: segfault on merge with servers < 1.6 (r37363, -67, -68, -79)
* fixed: repeat merge failures with non-inheritable mergeinfo (issue #3392)
* fixed: another memory leak when performing mergeinfo-aware merges (r37398)
* fixed: incorrect mergeinfo on children of shallow merges (issue #3407)
* fixed: pool lifetime issues in the BDB backend (r37137)
Developer-visible changes:
* don't fail if an embedding app has already initialized SQLite (issue #3387)
* resolve naming collisions with static stat() function in svnserve (r37527)
* fix an expectation for a failing dirent windows test (r37121)