Debian Bug report logs - #512191
websvn: WebSVN exposes protected files to users with insufficient permissions

version graph

Package: websvn; Maintainer for websvn is Pierre Chifflier <pollux@debian.org>; Source for websvn is src:websvn.

Reported by: Bas van Schaik <bas@tuxes.nl>

Date: Sun, 18 Jan 2009 12:21:02 UTC

Severity: grave

Tags: fixed-upstream, security

Found in version websvn/2.0-4

Fixed in versions websvn/2.0-4+lenny1, websvn/2.1.0-1

Done: Emilio Pozuelo Monfort <pochu@ubuntu.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Pierre Chifflier <pollux@debian.org>:
Bug#512191; Package websvn. (Sun, 18 Jan 2009 12:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bas van Schaik <bas@tuxes.nl>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Pierre Chifflier <pollux@debian.org>. (Sun, 18 Jan 2009 12:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bas van Schaik <bas@tuxes.nl>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: websvn: WebSVN exposes protected files to users with insufficient permissions
Date: Sun, 18 Jan 2009 13:18:03 +0100
Package: websvn
Version: 2.0-4
Severity: grave
Tags: security
Justification: user security hole

When WebSVN is configured to use an SVN authz file to check user
permissions, it only lists the repositories to which the user has
been granted authorization (like expected).

However, a malicious (authenticated) user can do an educated guess about
other repositories and alter the WebSVN URL to gain (limited) access to
these repositories.

Example: a user has been granted authorization for repository
"projects", but not to "classified-projects". After logging in to WebSVN
(using some authentication method), WebSVN checks which repositories
should be listed and only lists "projects". The URL to browse this
repository is like this:
  http://websvn.tetra.nl/listing.php?repname=projects

The malicious user can now alter this URL to access the
"classified-projects" repository:
  http://websvn.tetra.nl/listing.php?repname=classified-projects

Although WebSVN refuses to show the directories and files in the
repository (i.e. browsing is quite hard), it does present the links
"compare with previous" and "show changed files". These provide access
to the changelogs and diffs, while the user wasn't suppose to have any
acces to "classified-projects".

Especially in an environment where multiple users share a single server
for their repositories, this behavior is very undesirable and imposes a
security risk.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-xen-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages websvn depends on:
ii  apache2                   2.2.3-4+etch5  Next generation, scalable, extenda
ii  apache2-mpm-prefork [http 2.2.3-4+etch5  Traditional model for Apache HTTPD
ii  debconf [debconf-2.0]     1.5.11etch1    Debian configuration management sy
ii  libapache2-mod-php5       5.2.0-8+etch13 server-side, HTML-embedded scripti
ii  php5                      5.2.0-8+etch13 server-side, HTML-embedded scripti
ii  po-debconf                1.0.8          manage translated Debconf template
ii  subversion                1.4.2dfsg1-2   Advanced version control system
ii  ucf                       2.0020         Update Configuration File: preserv

Versions of packages websvn recommends:
ii  enscript                      1.6.4-11   Converts ASCII text to Postscript,

-- debconf information:
* websvn/webservers: apache2
* websvn/configuration: true
* websvn/parentpath: /home/svn/repositories
* websvn/repositories:
* websvn/permissions:




Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Chifflier <pollux@debian.org>:
Bug#512191; Package websvn. (Sun, 18 Jan 2009 13:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Pierre Chifflier <pollux@debian.org>. (Sun, 18 Jan 2009 13:18:02 GMT) Full text and rfc822 format available.

Message #10 received at 512191@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Bas van Schaik <bas@tuxes.nl>
Cc: 512191@bugs.debian.org
Subject: Re: Bug#512191: websvn: WebSVN exposes protected files to users with insufficient permissions
Date: Sun, 18 Jan 2009 14:15:55 +0100
* Bas van Schaik:

> When WebSVN is configured to use an SVN authz file to check user
> permissions, it only lists the repositories to which the user has
> been granted authorization (like expected).

Thanks.  Has this been reported anywhere else?  Do we still need
contact upstream about this?




Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Chifflier <pollux@debian.org>:
Bug#512191; Package websvn. (Sun, 18 Jan 2009 13:30:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bas van Schaik <bas@tuxes.nl>:
Extra info received and forwarded to list. Copy sent to Pierre Chifflier <pollux@debian.org>. (Sun, 18 Jan 2009 13:30:02 GMT) Full text and rfc822 format available.

Message #15 received at 512191@bugs.debian.org (full text, mbox):

From: Bas van Schaik <bas@tuxes.nl>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 512191@bugs.debian.org
Subject: Re: Bug#512191: websvn: WebSVN exposes protected files to users with insufficient permissions
Date: Sun, 18 Jan 2009 14:27:51 +0100
Florian Weimer wrote:
> * Bas van Schaik:
>   
>> When WebSVN is configured to use an SVN authz file to check user
>> permissions, it only lists the repositories to which the user has
>> been granted authorization (like expected).
>>     
> Thanks.  Has this been reported anywhere else?  Do we still need
> contact upstream about this?
I didn't contact upstream about it, I just found out last night. Would
you like me to contact upstream, or will you take care of it?

  -- Bas





Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Chifflier <pollux@debian.org>:
Bug#512191; Package websvn. (Sun, 18 Jan 2009 14:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bas van Schaik <bas@tuxes.nl>:
Extra info received and forwarded to list. Copy sent to Pierre Chifflier <pollux@debian.org>. (Sun, 18 Jan 2009 14:48:03 GMT) Full text and rfc822 format available.

Message #20 received at 512191@bugs.debian.org (full text, mbox):

From: Bas van Schaik <bas@tuxes.nl>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 512191@bugs.debian.org
Subject: Re: Bug#512191: websvn: WebSVN exposes protected files to users with insufficient permissions
Date: Sun, 18 Jan 2009 15:44:21 +0100
I've just downloaded the WebSVN 2.1 tarball and it is not vulnerable for
this issue. Therefore, reporting to upstream doesn't make any sense...

However, WebSVN 2.0 will appear in Lenny. I think the fix should be
backported to 2.0 or Lenny should contain WebSVN 2.1.




Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Chifflier <pollux@debian.org>:
Bug#512191; Package websvn. (Sun, 18 Jan 2009 21:00:23 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Pierre Chifflier <pollux@debian.org>. (Sun, 18 Jan 2009 21:00:24 GMT) Full text and rfc822 format available.

Message #25 received at 512191@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Bas van Schaik <bas@tuxes.nl>
Cc: 512191@bugs.debian.org
Subject: Re: Bug#512191: websvn: WebSVN exposes protected files to users with insufficient permissions
Date: Sun, 18 Jan 2009 21:48:51 +0100
* Bas van Schaik:

> I've just downloaded the WebSVN 2.1 tarball and it is not vulnerable for
> this issue. Therefore, reporting to upstream doesn't make any sense...
>
> However, WebSVN 2.0 will appear in Lenny. I think the fix should be
> backported to 2.0 or Lenny should contain WebSVN 2.1.

Probably, yes, although the severity is somewhat debatable.

etch is not affected because that WebSVN version does not implement
authentication.




Tags added: fixed-upstream Request was from Marco Rodrigues <gothicx@sapo.pt> to control@bugs.debian.org. (Fri, 13 Feb 2009 21:54:04 GMT) Full text and rfc822 format available.

Message sent on to Bas van Schaik <bas@tuxes.nl>:
Bug#512191. (Sat, 14 Feb 2009 18:21:04 GMT) Full text and rfc822 format available.

Message #30 received at 512191-submitter@bugs.debian.org (full text, mbox):

From: Emilio Pozuelo Monfort <pochu@ubuntu.com>
To: 512191-submitter@bugs.debian.org
Cc: Patrick Schoenfeld <schoenfeld@debian.org>, Florian Weimer <fw@deneb.enyo.de>
Subject: websvn: WebSVN exposes protected files to users with insufficient permissions
Date: Sat, 14 Feb 2009 19:17:11 +0100
[Message part 1 (text/plain, inline)]
Hi,

I've successfully reproduced this bug in a Lenny environment, and have prepared
NMUs for unstable and lenny-security. The NMUs also include the debconf
translation template from #508488.

Cheers,
Emilio

websvn (2.0-4+lenny1) stable-security; urgency=high

  * Non-maintainer upload.
  * debian/patches/12_security_known_path_cve_2009_0240.patch:
    - Backports upstream changes from subversion r635, r636 and r649 to
      fix a security hole where authenticated users can access files
      with known paths. Closes: #512191.
    - Urgency high for the security fix.
    - References: CVE-2009-0240
  * debian/po/es.po:
    - Added Spanish debconf translation, thanks Francisco Javier Cuadrado.
      Closes: #508488.

 -- Emilio Pozuelo Monfort <pochu@ubuntu.com>  Sat, 14 Feb 2009 16:30:02 +0100


 debian/patches/12_security_known_path_cve_2009_0240.patch |  179 ++++++++++++++
 debian/po/es.po                                           |  137 ++++++++++
 websvn-2.0/debian/changelog                               |   15 +
 websvn-2.0/debian/patches/series                          |    1


emilio@saturno:~/tmp/websvn/websvn-2.0$ head -12
debian/patches/12_security_known_path_cve_2009_0240.patch

Backport changes from upstream svn to fix known paths security bypass
http://security-tracker.debian.net/tracker/CVE-2009-0240

r635 | spetters | 2008-03-08 10:19:17 +0100 (sáb 08 de mar de 2008) | 1 line
fixed authentication check for subfolders, patch by Dirk Thomas

r636 | spetters | 2008-09-25 19:24:57 +0200 (jue 25 de sep de 2008) | 1 line
fixed access control with calm theme

r649 | dirkthomas | 2008-11-03 13:29:29 +0100 (lun 03 de nov de 2008) | 1 line
restrict visible entries and log messages based on auth


[lenny.debdiff (text/plain, inline)]
diff -u websvn-2.0/debian/changelog websvn-2.0/debian/changelog
--- websvn-2.0/debian/changelog
+++ websvn-2.0/debian/changelog
@@ -1,3 +1,18 @@
+websvn (2.0-4+lenny1) stable-security; urgency=high
+
+  * Non-maintainer upload.
+  * debian/patches/12_security_known_path_cve_2009_0240.patch:
+    - Backports upstream changes from subversion r635, r636 and r649 to
+      fix a security hole where authenticated users can access files
+      with known paths. Closes: #512191.
+    - Urgency high for the security fix.
+    - References: CVE-2009-0240
+  * debian/po/es.po:
+    - Added Spanish debconf translation, thanks Francisco Javier Cuadrado.
+      Closes: #508488.
+
+ -- Emilio Pozuelo Monfort <pochu@ubuntu.com>  Sat, 14 Feb 2009 16:30:02 +0100
+
 websvn (2.0-4) unstable; urgency=high
 
   * Security: fix potential Cross Site Scripting and Directory
diff -u websvn-2.0/debian/patches/series websvn-2.0/debian/patches/series
--- websvn-2.0/debian/patches/series
+++ websvn-2.0/debian/patches/series
@@ -2,0 +3 @@
+12_security_known_path_cve_2009_0240.patch
only in patch2:
unchanged:
--- websvn-2.0.orig/debian/po/es.po
+++ websvn-2.0/debian/po/es.po
@@ -0,0 +1,137 @@
+# websvn po-debconf translation to Spanish
+# Copyright (C) 2008 Software in the Public Interest
+# This file is distributed under the same license as the websvn package.
+#
+# Changes:
+#  - Initial translation
+#       Francisco Javier Cuadrado <fcocuadrado@gmail.com>, 2008
+#
+#   Traductores, si no conoce el formato PO, merece la pena leer la
+#   documentación de gettext, especialmente las secciones dedicadas a este
+#   formato, por ejemplo ejecutando:
+#          info -n '(gettext)PO Files'
+#          info -n '(gettext)Header Entry'
+#
+#   Equipo de traducción al español, por favor, lean antes de traducir
+#   los siguientes documentos:
+#
+#       - El proyecto de traducción de Debian al español
+#         http://www.debian.org/intl/spanish/
+#         especialmente las notas de traducción en
+#         http://www.debian.org/intl/spanish/notas
+#
+#       - La guía de traducción de po's de debconf:
+#         /usr/share/doc/po-debconf/README-trans
+#         o http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: websvn 2.0-4\n"
+"Report-Msgid-Bugs-To: chifflier@cpe.fr\n"
+"POT-Creation-Date: 2006-11-14 09:46+0100\n"
+"PO-Revision-Date: \n"
+"Last-Translator: Francisco Javier Cuadrado <fcocuadrado@gmail.com>\n"
+"Language-Team: Debian l10n spanish <debian-l10n-spanish@lists.debian.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:1001
+msgid "Do you want to configure WebSVN now?"
+msgstr "¿Desea configurar WebSVN ahora?"
+
+#. Type: boolean
+#. Description
+#: ../templates:1001
+msgid "WebSVN needs to be configured before its use, ie you must set the locations of the repositories."
+msgstr "WebSVN necesita configurarse antes de usarlo, por ejemplo: debe configurar las ubicaciones de los repositorios."
+
+#. Type: boolean
+#. Description
+#: ../templates:1001
+msgid "If you want to configure it later, you should run 'dpkg-reconfigure websvn'."
+msgstr "Si quiere configurarlo después, debería ejecutar «dpkg-reconfigure websvn»."
+
+#. Type: string
+#. Description
+#: ../templates:2001
+msgid "svn parent repositories:"
+msgstr "Repositorios padres de svn:"
+
+#. Type: string
+#. Description
+#: ../templates:2001
+msgid "If you have directories containing svn repositories, enter the location of each parent directory you want to appear on websvn page."
+msgstr "Si tiene directorios que contienen repositorios svn, introduzca la ubicación de cada directorio padre si quiere que aparezcan en la página de websvn."
+
+#. Type: string
+#. Description
+#: ../templates:2001
+msgid "You must specify at least one existing subversion repository or WebSVN will not work. You can specify single repositories on the next step of the config."
+msgstr "Debe especificar al menos un repositorio existente de subversion o WebSVN no funcionará. Puede especificar repositorios únicos en el siguiente paso de la configuración."
+
+#. Type: string
+#. Description
+#. Type: string
+#. Description
+#: ../templates:2001
+#: ../templates:3001
+msgid "Separate each entry with a comma (,) but NO SPACE or leave empty."
+msgstr "Separe cada entrada con una coma (,) pero NO USE ESPACIOS o déjelo vacío."
+
+#. Type: string
+#. Description
+#: ../templates:3001
+msgid "svn repositories:"
+msgstr "Repositorios de svn:"
+
+#. Type: string
+#. Description
+#: ../templates:3001
+msgid "Enter the location of each svn repository you want to appear on websvn page."
+msgstr "Introduzca la ubicación de cada repositorio de svn que quiere que aparezca en la página de websvn."
+
+#. Type: string
+#. Description
+#: ../templates:3001
+msgid "You must specify at least one existing subversion repository or WebSVN will not work, except if you have given a parent path previously."
+msgstr "Debe especificar al menos un repositorio existente de subversion o WebSVN no funcionará, excepto si ha elegido previamente una ruta de un padre."
+
+#. Type: multiselect
+#. Choices
+#: ../templates:4001
+msgid "apache, apache-ssl, apache-perl, apache2"
+msgstr "apache, apache-ssl, apache-perl, apache2"
+
+#. Type: multiselect
+#. Description
+#: ../templates:4002
+msgid "Apache configuration:"
+msgstr "Configuración de Apache:"
+
+#. Type: multiselect
+#. Description
+#: ../templates:4002
+msgid "WebSVN supports any web server that php4 does, but this automatic configuration process only supports Apache."
+msgstr "WebSVN es compatible con cualquier servidor web que permita usar php4, pero este proceso de configuración sólo es compatible con Apache."
+
+#. Type: note
+#. Description
+#: ../templates:5001
+msgid "Note on permissions"
+msgstr "Atento a los permisos"
+
+#. Type: note
+#. Description
+#: ../templates:5001
+msgid "Due to a limitation in the DB format, the 'svnlook' command needs read-write access to the repository (to create locks etc). You need to give read-write permissions to the user running your webserver on all your repositories."
+msgstr "Debido a una limitación del formato de la base de datos, la orden «svnlook» necesita acceso de lectura y escritura al repositorio (para crear cerrojos, etc). Necesita asignar los permisos de lectura y escritura al usuario que ejecute su servidor web sobre todos sus repositorios."
+
+#. Type: note
+#. Description
+#: ../templates:5001
+msgid "Another way of avoiding this problem is by creating SVN repositories with the --fs-type=fsfs option.  Existing DB repositories can be converted to the FSFS format by using the svnadmin dump/load commands."
+msgstr "Otra manera de evitar este problema es creando los repositorios de SVN con la opción «--fs-type=fsfs». La base de datos existente de los repositorios se puede convertir al formato FSFS usando las órdenes «svnadmin dump» o «svnadmin load»."
+
only in patch2:
unchanged:
--- websvn-2.0.orig/debian/patches/12_security_known_path_cve_2009_0240.patch
+++ websvn-2.0/debian/patches/12_security_known_path_cve_2009_0240.patch
@@ -0,0 +1,179 @@
+Backport changes from upstream svn to fix known paths security bypass
+http://security-tracker.debian.net/tracker/CVE-2009-0240
+
+r635 | spetters | 2008-03-08 10:19:17 +0100 (sáb 08 de mar de 2008) | 1 line
+fixed authentication check for subfolders, patch by Dirk Thomas
+
+r636 | spetters | 2008-09-25 19:24:57 +0200 (jue 25 de sep de 2008) | 1 line
+fixed access control with calm theme
+
+r649 | dirkthomas | 2008-11-03 13:29:29 +0100 (lun 03 de nov de 2008) | 1 line
+restrict visible entries and log messages based on auth
+
+diff -ruNp websvn-2.0/include/auth.php websvn-2.0.foo/include/auth.php
+--- websvn-2.0/include/auth.php	2007-06-05 16:05:34.000000000 +0200
++++ websvn-2.0.foo/include/auth.php	2009-02-14 15:54:03.000000000 +0100
+@@ -144,7 +144,7 @@ class Authentication
+          {
+             $qualified = $repos.":".$path;
+             $len = strlen($qualified);
+-            if ($len <= strlen($section) && strncmp($section, $qualified, $len) == 0)
++            if ($len < strlen($section) && strncmp($section, $qualified, $len) == 0)
+             {
+                $access = $this->inList($accessers, $this->user);
+             }
+@@ -152,7 +152,7 @@ class Authentication
+             if ($access != ALLOW)
+             {
+                $len = strlen($path);
+-               if ($len <= strlen($section) && strncmp($section, $path, $len) == 0)
++               if ($len < strlen($section) && strncmp($section, $path, $len) == 0)
+                {
+                   $access = $this->inList($accessers, $this->user);
+                }
+diff -ruNp websvn-2.0/include/svnlook.php websvn-2.0.foo/include/svnlook.php
+--- websvn-2.0/include/svnlook.php	2007-08-13 10:38:26.000000000 +0200
++++ websvn-2.0.foo/include/svnlook.php	2009-02-14 16:00:04.000000000 +0100
+@@ -771,6 +771,33 @@ Class SVNRepository
+       }
+ 
+       xml_parser_free($xml_parser);
++
++      foreach ($curLog->entries as $entryKey => $entry) {
++        $fullModAccess = true;
++        $anyModAccess = (count($entry->mods) == 0);
++        foreach ($entry->mods as $modKey => $mod) {
++          $access = $this->repConfig->hasReadAccess($mod->path);
++          if ($access) {
++            $anyModAccess = true;
++          } else {
++            // hide modified entry when access is prohibited
++            unset($curLog->entries[$entryKey]->mods[$modKey]);
++            $fullModAccess = false;
++          }
++        }
++        if (!$fullModAccess) {
++          // hide commit message when access to any of the entries is prohibited
++          $curLog->entries[$entryKey]->msg = '';
++        }
++        if (!$anyModAccess) {
++          // hide author and date when access to all of the entries is prohibited
++          $curLog->entries[$entryKey]->author = '';
++          $curLog->entries[$entryKey]->date = '';
++          $curLog->entries[$entryKey]->committime = '';
++          $curLog->entries[$entryKey]->age = '';
++        }
++      }
++
+       return $curLog;
+    }
+ 
+diff -ruNp websvn-2.0/templates/calm/blame.tmpl websvn-2.0.foo/templates/calm/blame.tmpl
+--- websvn-2.0/templates/calm/blame.tmpl	2007-06-08 09:02:32.000000000 +0200
++++ websvn-2.0.foo/templates/calm/blame.tmpl	2009-02-14 16:01:06.000000000 +0100
+@@ -1,5 +1,9 @@
+ <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div>
+ <h1><a href="[websvn:indexurl]" title="Project home">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1>
++
++[websvn-test:noaccess]
++   [lang:NOACCESS]
++[websvn-else]
+ <div style="margin:0 2% 0 2%">
+ <h2 class="path">[websvn:curdirlinks] - [lang:BLAMEFOR] [websvn:rev]</h2>
+ <p>
+@@ -31,3 +35,4 @@
+    </tbody>
+ </table>
+ </div>
++[websvn-endtest]
+diff -ruNp websvn-2.0/templates/calm/compare.tmpl websvn-2.0.foo/templates/calm/compare.tmpl
+--- websvn-2.0/templates/calm/compare.tmpl	2007-08-08 14:25:48.000000000 +0200
++++ websvn-2.0.foo/templates/calm/compare.tmpl	2009-02-14 16:01:06.000000000 +0100
+@@ -1,5 +1,9 @@
+ <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div>
+ <h1><a href="[websvn:indexurl]" title="[lang:PROJECTS]">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1>
++
++[websvn-test:noaccess]
++   [lang:NOACCESS]
++[websvn-else]
+ <div id="info">
+ <h2>Compare Revisions</h2>
+ <ul><li><dl><dt><strong>[lang:CONVFROM]</strong></dt><dd class="curdir"><pre title="[websvn:path1]">[websvn:path1]</pre></dd><dd>from [lang:REV] [websvn:rev1] to [lang:REV] [websvn:rev2]</dd><dd>&harr; [websvn:revlink]</dd></dl></li>
+@@ -60,3 +64,4 @@
+ [websvn-endtest]
+ 
+ [websvn-endlisting]
++[websvn-endtest]
+diff -ruNp websvn-2.0/templates/calm/diff.tmpl websvn-2.0.foo/templates/calm/diff.tmpl
+--- websvn-2.0/templates/calm/diff.tmpl	2007-06-11 09:37:17.000000000 +0200
++++ websvn-2.0.foo/templates/calm/diff.tmpl	2009-02-14 16:01:06.000000000 +0100
+@@ -1,5 +1,9 @@
+ <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div>
+ <h1><a href="[websvn:indexurl]" title="Project home">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1>
++
++[websvn-test:noaccess]
++   [lang:NOACCESS]
++[websvn-else]
+ <div style="margin:0 2% 0 2%">
+ <h2 class="path">[websvn:curdirlinks] - [lang:DIFFREVS] [websvn:rev2] [lang:AND] [websvn:rev1]</h2>
+ 
+@@ -48,3 +52,4 @@
+    </table>
+ [websvn-endtest]
+ </div>
++[websvn-endtest]
+diff -ruNp websvn-2.0/templates/calm/directory.tmpl websvn-2.0.foo/templates/calm/directory.tmpl
+--- websvn-2.0/templates/calm/directory.tmpl	2007-06-13 08:09:55.000000000 +0200
++++ websvn-2.0.foo/templates/calm/directory.tmpl	2009-02-14 16:01:06.000000000 +0100
+@@ -1,6 +1,9 @@
+ <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div>
+ <h1><a href="[websvn:indexurl]" title="Project home">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1>
+ 
++[websvn-test:noaccess]
++   [lang:NOACCESS]
++[websvn-else]
+ <h2 class="path" style="margin:0 2% 15px 2%;">[websvn:curdirlinks] - [lang:REV] [websvn:rev]</h2>
+ <p>
+ [websvn-test:goyoungestlink]
+@@ -130,3 +133,4 @@ e-node=<img src="[websvn:locwebsvnhttp]/
+ </p>
+ [websvn:compare_endform]
+ </div>
++[websvn-endtest]
+diff -ruNp websvn-2.0/templates/calm/file.tmpl websvn-2.0.foo/templates/calm/file.tmpl
+--- websvn-2.0/templates/calm/file.tmpl	2007-06-08 09:02:32.000000000 +0200
++++ websvn-2.0.foo/templates/calm/file.tmpl	2009-02-14 16:01:06.000000000 +0100
+@@ -1,5 +1,9 @@
+ <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div>
+ <h1><a href="[websvn:indexurl]" title="Project home">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1>
++
++[websvn-test:noaccess]
++   [lang:NOACCESS]
++[websvn-else]
+ <h2 class="path" style="margin:0 2% 15px 2%;">[websvn:curdirlinks] - [lang:REV] [websvn:rev]</h2>
+ <p>
+ [websvn-test:goyoungestlink]
+@@ -19,3 +23,4 @@
+ <span class="diff">[websvn:prevdifflink]</span> &#124;
+ <span class="diff">[websvn:blamelink]</span>
+ </p>
++[websvn-endtest]
+diff -ruNp websvn-2.0/templates/calm/log.tmpl websvn-2.0.foo/templates/calm/log.tmpl
+--- websvn-2.0/templates/calm/log.tmpl	2007-06-13 08:09:55.000000000 +0200
++++ websvn-2.0.foo/templates/calm/log.tmpl	2009-02-14 16:01:06.000000000 +0100
+@@ -15,6 +15,9 @@
+ [websvn-endtest]
+ </p>
+ 
++[websvn-test:noaccess]
++   [lang:NOACCESS]
++[websvn-else]
+ <div id="info">
+ <h2>[lang:FILTER]</h2>
+ 
+@@ -89,4 +92,5 @@
+ <p>[websvn:pagelinks]</p>
+ <p>[websvn:showalllink]</p>
+ 
++[websvn-endtest]
+ </div>
[unstable.debdiff (text/plain, inline)]
diff -u websvn-2.0/debian/changelog websvn-2.0/debian/changelog
--- websvn-2.0/debian/changelog
+++ websvn-2.0/debian/changelog
@@ -1,3 +1,18 @@
+websvn (2.0-4+nmu1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * debian/patches/12_security_known_path_cve_2009_0240.patch:
+    - Backports upstream changes from subversion r635, r636 and r649 to
+      fix a security hole where authenticated users can access files
+      with known paths. Closes: #512191.
+    - Urgency high for the security fix.
+    - References: CVE-2009-0240
+  * debian/po/es.po:
+    - Added Spanish debconf translation, thanks Francisco Javier Cuadrado.
+      Closes: #508488.
+
+ -- Emilio Pozuelo Monfort <pochu@ubuntu.com>  Sat, 14 Feb 2009 16:30:02 +0100
+
 websvn (2.0-4) unstable; urgency=high
 
   * Security: fix potential Cross Site Scripting and Directory
diff -u websvn-2.0/debian/patches/series websvn-2.0/debian/patches/series
--- websvn-2.0/debian/patches/series
+++ websvn-2.0/debian/patches/series
@@ -2,0 +3 @@
+12_security_known_path_cve_2009_0240.patch
only in patch2:
unchanged:
--- websvn-2.0.orig/debian/po/es.po
+++ websvn-2.0/debian/po/es.po
@@ -0,0 +1,137 @@
+# websvn po-debconf translation to Spanish
+# Copyright (C) 2008 Software in the Public Interest
+# This file is distributed under the same license as the websvn package.
+#
+# Changes:
+#  - Initial translation
+#       Francisco Javier Cuadrado <fcocuadrado@gmail.com>, 2008
+#
+#   Traductores, si no conoce el formato PO, merece la pena leer la
+#   documentación de gettext, especialmente las secciones dedicadas a este
+#   formato, por ejemplo ejecutando:
+#          info -n '(gettext)PO Files'
+#          info -n '(gettext)Header Entry'
+#
+#   Equipo de traducción al español, por favor, lean antes de traducir
+#   los siguientes documentos:
+#
+#       - El proyecto de traducción de Debian al español
+#         http://www.debian.org/intl/spanish/
+#         especialmente las notas de traducción en
+#         http://www.debian.org/intl/spanish/notas
+#
+#       - La guía de traducción de po's de debconf:
+#         /usr/share/doc/po-debconf/README-trans
+#         o http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: websvn 2.0-4\n"
+"Report-Msgid-Bugs-To: chifflier@cpe.fr\n"
+"POT-Creation-Date: 2006-11-14 09:46+0100\n"
+"PO-Revision-Date: \n"
+"Last-Translator: Francisco Javier Cuadrado <fcocuadrado@gmail.com>\n"
+"Language-Team: Debian l10n spanish <debian-l10n-spanish@lists.debian.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:1001
+msgid "Do you want to configure WebSVN now?"
+msgstr "¿Desea configurar WebSVN ahora?"
+
+#. Type: boolean
+#. Description
+#: ../templates:1001
+msgid "WebSVN needs to be configured before its use, ie you must set the locations of the repositories."
+msgstr "WebSVN necesita configurarse antes de usarlo, por ejemplo: debe configurar las ubicaciones de los repositorios."
+
+#. Type: boolean
+#. Description
+#: ../templates:1001
+msgid "If you want to configure it later, you should run 'dpkg-reconfigure websvn'."
+msgstr "Si quiere configurarlo después, debería ejecutar «dpkg-reconfigure websvn»."
+
+#. Type: string
+#. Description
+#: ../templates:2001
+msgid "svn parent repositories:"
+msgstr "Repositorios padres de svn:"
+
+#. Type: string
+#. Description
+#: ../templates:2001
+msgid "If you have directories containing svn repositories, enter the location of each parent directory you want to appear on websvn page."
+msgstr "Si tiene directorios que contienen repositorios svn, introduzca la ubicación de cada directorio padre si quiere que aparezcan en la página de websvn."
+
+#. Type: string
+#. Description
+#: ../templates:2001
+msgid "You must specify at least one existing subversion repository or WebSVN will not work. You can specify single repositories on the next step of the config."
+msgstr "Debe especificar al menos un repositorio existente de subversion o WebSVN no funcionará. Puede especificar repositorios únicos en el siguiente paso de la configuración."
+
+#. Type: string
+#. Description
+#. Type: string
+#. Description
+#: ../templates:2001
+#: ../templates:3001
+msgid "Separate each entry with a comma (,) but NO SPACE or leave empty."
+msgstr "Separe cada entrada con una coma (,) pero NO USE ESPACIOS o déjelo vacío."
+
+#. Type: string
+#. Description
+#: ../templates:3001
+msgid "svn repositories:"
+msgstr "Repositorios de svn:"
+
+#. Type: string
+#. Description
+#: ../templates:3001
+msgid "Enter the location of each svn repository you want to appear on websvn page."
+msgstr "Introduzca la ubicación de cada repositorio de svn que quiere que aparezca en la página de websvn."
+
+#. Type: string
+#. Description
+#: ../templates:3001
+msgid "You must specify at least one existing subversion repository or WebSVN will not work, except if you have given a parent path previously."
+msgstr "Debe especificar al menos un repositorio existente de subversion o WebSVN no funcionará, excepto si ha elegido previamente una ruta de un padre."
+
+#. Type: multiselect
+#. Choices
+#: ../templates:4001
+msgid "apache, apache-ssl, apache-perl, apache2"
+msgstr "apache, apache-ssl, apache-perl, apache2"
+
+#. Type: multiselect
+#. Description
+#: ../templates:4002
+msgid "Apache configuration:"
+msgstr "Configuración de Apache:"
+
+#. Type: multiselect
+#. Description
+#: ../templates:4002
+msgid "WebSVN supports any web server that php4 does, but this automatic configuration process only supports Apache."
+msgstr "WebSVN es compatible con cualquier servidor web que permita usar php4, pero este proceso de configuración sólo es compatible con Apache."
+
+#. Type: note
+#. Description
+#: ../templates:5001
+msgid "Note on permissions"
+msgstr "Atento a los permisos"
+
+#. Type: note
+#. Description
+#: ../templates:5001
+msgid "Due to a limitation in the DB format, the 'svnlook' command needs read-write access to the repository (to create locks etc). You need to give read-write permissions to the user running your webserver on all your repositories."
+msgstr "Debido a una limitación del formato de la base de datos, la orden «svnlook» necesita acceso de lectura y escritura al repositorio (para crear cerrojos, etc). Necesita asignar los permisos de lectura y escritura al usuario que ejecute su servidor web sobre todos sus repositorios."
+
+#. Type: note
+#. Description
+#: ../templates:5001
+msgid "Another way of avoiding this problem is by creating SVN repositories with the --fs-type=fsfs option.  Existing DB repositories can be converted to the FSFS format by using the svnadmin dump/load commands."
+msgstr "Otra manera de evitar este problema es creando los repositorios de SVN con la opción «--fs-type=fsfs». La base de datos existente de los repositorios se puede convertir al formato FSFS usando las órdenes «svnadmin dump» o «svnadmin load»."
+
only in patch2:
unchanged:
--- websvn-2.0.orig/debian/patches/12_security_known_path_cve_2009_0240.patch
+++ websvn-2.0/debian/patches/12_security_known_path_cve_2009_0240.patch
@@ -0,0 +1,179 @@
+Backport changes from upstream svn to fix known paths security bypass
+http://security-tracker.debian.net/tracker/CVE-2009-0240
+
+r635 | spetters | 2008-03-08 10:19:17 +0100 (sáb 08 de mar de 2008) | 1 line
+fixed authentication check for subfolders, patch by Dirk Thomas
+
+r636 | spetters | 2008-09-25 19:24:57 +0200 (jue 25 de sep de 2008) | 1 line
+fixed access control with calm theme
+
+r649 | dirkthomas | 2008-11-03 13:29:29 +0100 (lun 03 de nov de 2008) | 1 line
+restrict visible entries and log messages based on auth
+
+diff -ruNp websvn-2.0/include/auth.php websvn-2.0.foo/include/auth.php
+--- websvn-2.0/include/auth.php	2007-06-05 16:05:34.000000000 +0200
++++ websvn-2.0.foo/include/auth.php	2009-02-14 15:54:03.000000000 +0100
+@@ -144,7 +144,7 @@ class Authentication
+          {
+             $qualified = $repos.":".$path;
+             $len = strlen($qualified);
+-            if ($len <= strlen($section) && strncmp($section, $qualified, $len) == 0)
++            if ($len < strlen($section) && strncmp($section, $qualified, $len) == 0)
+             {
+                $access = $this->inList($accessers, $this->user);
+             }
+@@ -152,7 +152,7 @@ class Authentication
+             if ($access != ALLOW)
+             {
+                $len = strlen($path);
+-               if ($len <= strlen($section) && strncmp($section, $path, $len) == 0)
++               if ($len < strlen($section) && strncmp($section, $path, $len) == 0)
+                {
+                   $access = $this->inList($accessers, $this->user);
+                }
+diff -ruNp websvn-2.0/include/svnlook.php websvn-2.0.foo/include/svnlook.php
+--- websvn-2.0/include/svnlook.php	2007-08-13 10:38:26.000000000 +0200
++++ websvn-2.0.foo/include/svnlook.php	2009-02-14 16:00:04.000000000 +0100
+@@ -771,6 +771,33 @@ Class SVNRepository
+       }
+ 
+       xml_parser_free($xml_parser);
++
++      foreach ($curLog->entries as $entryKey => $entry) {
++        $fullModAccess = true;
++        $anyModAccess = (count($entry->mods) == 0);
++        foreach ($entry->mods as $modKey => $mod) {
++          $access = $this->repConfig->hasReadAccess($mod->path);
++          if ($access) {
++            $anyModAccess = true;
++          } else {
++            // hide modified entry when access is prohibited
++            unset($curLog->entries[$entryKey]->mods[$modKey]);
++            $fullModAccess = false;
++          }
++        }
++        if (!$fullModAccess) {
++          // hide commit message when access to any of the entries is prohibited
++          $curLog->entries[$entryKey]->msg = '';
++        }
++        if (!$anyModAccess) {
++          // hide author and date when access to all of the entries is prohibited
++          $curLog->entries[$entryKey]->author = '';
++          $curLog->entries[$entryKey]->date = '';
++          $curLog->entries[$entryKey]->committime = '';
++          $curLog->entries[$entryKey]->age = '';
++        }
++      }
++
+       return $curLog;
+    }
+ 
+diff -ruNp websvn-2.0/templates/calm/blame.tmpl websvn-2.0.foo/templates/calm/blame.tmpl
+--- websvn-2.0/templates/calm/blame.tmpl	2007-06-08 09:02:32.000000000 +0200
++++ websvn-2.0.foo/templates/calm/blame.tmpl	2009-02-14 16:01:06.000000000 +0100
+@@ -1,5 +1,9 @@
+ <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div>
+ <h1><a href="[websvn:indexurl]" title="Project home">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1>
++
++[websvn-test:noaccess]
++   [lang:NOACCESS]
++[websvn-else]
+ <div style="margin:0 2% 0 2%">
+ <h2 class="path">[websvn:curdirlinks] - [lang:BLAMEFOR] [websvn:rev]</h2>
+ <p>
+@@ -31,3 +35,4 @@
+    </tbody>
+ </table>
+ </div>
++[websvn-endtest]
+diff -ruNp websvn-2.0/templates/calm/compare.tmpl websvn-2.0.foo/templates/calm/compare.tmpl
+--- websvn-2.0/templates/calm/compare.tmpl	2007-08-08 14:25:48.000000000 +0200
++++ websvn-2.0.foo/templates/calm/compare.tmpl	2009-02-14 16:01:06.000000000 +0100
+@@ -1,5 +1,9 @@
+ <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div>
+ <h1><a href="[websvn:indexurl]" title="[lang:PROJECTS]">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1>
++
++[websvn-test:noaccess]
++   [lang:NOACCESS]
++[websvn-else]
+ <div id="info">
+ <h2>Compare Revisions</h2>
+ <ul><li><dl><dt><strong>[lang:CONVFROM]</strong></dt><dd class="curdir"><pre title="[websvn:path1]">[websvn:path1]</pre></dd><dd>from [lang:REV] [websvn:rev1] to [lang:REV] [websvn:rev2]</dd><dd>&harr; [websvn:revlink]</dd></dl></li>
+@@ -60,3 +64,4 @@
+ [websvn-endtest]
+ 
+ [websvn-endlisting]
++[websvn-endtest]
+diff -ruNp websvn-2.0/templates/calm/diff.tmpl websvn-2.0.foo/templates/calm/diff.tmpl
+--- websvn-2.0/templates/calm/diff.tmpl	2007-06-11 09:37:17.000000000 +0200
++++ websvn-2.0.foo/templates/calm/diff.tmpl	2009-02-14 16:01:06.000000000 +0100
+@@ -1,5 +1,9 @@
+ <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div>
+ <h1><a href="[websvn:indexurl]" title="Project home">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1>
++
++[websvn-test:noaccess]
++   [lang:NOACCESS]
++[websvn-else]
+ <div style="margin:0 2% 0 2%">
+ <h2 class="path">[websvn:curdirlinks] - [lang:DIFFREVS] [websvn:rev2] [lang:AND] [websvn:rev1]</h2>
+ 
+@@ -48,3 +52,4 @@
+    </table>
+ [websvn-endtest]
+ </div>
++[websvn-endtest]
+diff -ruNp websvn-2.0/templates/calm/directory.tmpl websvn-2.0.foo/templates/calm/directory.tmpl
+--- websvn-2.0/templates/calm/directory.tmpl	2007-06-13 08:09:55.000000000 +0200
++++ websvn-2.0.foo/templates/calm/directory.tmpl	2009-02-14 16:01:06.000000000 +0100
+@@ -1,6 +1,9 @@
+ <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div>
+ <h1><a href="[websvn:indexurl]" title="Project home">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1>
+ 
++[websvn-test:noaccess]
++   [lang:NOACCESS]
++[websvn-else]
+ <h2 class="path" style="margin:0 2% 15px 2%;">[websvn:curdirlinks] - [lang:REV] [websvn:rev]</h2>
+ <p>
+ [websvn-test:goyoungestlink]
+@@ -130,3 +133,4 @@ e-node=<img src="[websvn:locwebsvnhttp]/
+ </p>
+ [websvn:compare_endform]
+ </div>
++[websvn-endtest]
+diff -ruNp websvn-2.0/templates/calm/file.tmpl websvn-2.0.foo/templates/calm/file.tmpl
+--- websvn-2.0/templates/calm/file.tmpl	2007-06-08 09:02:32.000000000 +0200
++++ websvn-2.0.foo/templates/calm/file.tmpl	2009-02-14 16:01:06.000000000 +0100
+@@ -1,5 +1,9 @@
+ <div id="select">[websvn:projects_form]<div>[websvn:projects_hidden][websvn:projects_select]<span class="submit">[websvn:projects_submit]</span></div>[websvn:projects_endform]</div>
+ <h1><a href="[websvn:indexurl]" title="Project home">[lang:PROJECTS]</a> <span>[websvn:repname]</span></h1>
++
++[websvn-test:noaccess]
++   [lang:NOACCESS]
++[websvn-else]
+ <h2 class="path" style="margin:0 2% 15px 2%;">[websvn:curdirlinks] - [lang:REV] [websvn:rev]</h2>
+ <p>
+ [websvn-test:goyoungestlink]
+@@ -19,3 +23,4 @@
+ <span class="diff">[websvn:prevdifflink]</span> &#124;
+ <span class="diff">[websvn:blamelink]</span>
+ </p>
++[websvn-endtest]
+diff -ruNp websvn-2.0/templates/calm/log.tmpl websvn-2.0.foo/templates/calm/log.tmpl
+--- websvn-2.0/templates/calm/log.tmpl	2007-06-13 08:09:55.000000000 +0200
++++ websvn-2.0.foo/templates/calm/log.tmpl	2009-02-14 16:01:06.000000000 +0100
+@@ -15,6 +15,9 @@
+ [websvn-endtest]
+ </p>
+ 
++[websvn-test:noaccess]
++   [lang:NOACCESS]
++[websvn-else]
+ <div id="info">
+ <h2>[lang:FILTER]</h2>
+ 
+@@ -89,4 +92,5 @@
+ <p>[websvn:pagelinks]</p>
+ <p>[websvn:showalllink]</p>
+ 
++[websvn-endtest]
+ </div>
[signature.asc (application/pgp-signature, attachment)]

Message sent on to Bas van Schaik <bas@tuxes.nl>:
Bug#512191. (Sat, 14 Feb 2009 19:45:02 GMT) Full text and rfc822 format available.

Message #33 received at 512191-submitter@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Emilio Pozuelo Monfort <pochu@ubuntu.com>
Cc: 512191-submitter@bugs.debian.org, Patrick Schoenfeld <schoenfeld@debian.org>
Subject: Re: websvn: WebSVN exposes protected files to users with insufficient permissions
Date: Sat, 14 Feb 2009 20:42:59 +0100
* Emilio Pozuelo Monfort:

> websvn (2.0-4+lenny1) stable-security; urgency=high

> websvn (2.0-4+nmu1) unstable; urgency=high

The +nmu1 upload should not be necessary, according to Joerg Jaspert.

Please upload the +lenny1 version to stable-security (note that you
need to build with -sa).  We'll see what happens.




Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Chifflier <pollux@debian.org>:
Bug#512191; Package websvn. (Sun, 15 Feb 2009 10:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Pierre Chifflier <pollux@debian.org>. (Sun, 15 Feb 2009 10:48:02 GMT) Full text and rfc822 format available.

Message #38 received at 512191@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 512191@bugs.debian.org
Cc: Emilio Pozuelo Monfort <pochu@ubuntu.com>, Patrick Schoenfeld <schoenfeld@debian.org>, team@security.debian.org
Subject: Re: websvn: WebSVN exposes protected files to users with insufficient permissions
Date: Sun, 15 Feb 2009 11:46:46 +0100
[Message part 1 (text/plain, inline)]
Hi,

Thank you for your work. I have uploaded the lenny version to stable-security, 
with one further addition: added the CVE entries for previous updates to the 
changelog.

When we can release this update, it will automatically propagate to testing 
and unstable since versions are equal.

Pierre, when making a new upload of 2.1.x, please ensure that all CVE entries 
included in the current package changelog are copied into your new version.


cheers,
Thijs
[signature.asc (application/pgp-signature, inline)]

Tags added: pending Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Sun, 15 Feb 2009 10:48:05 GMT) Full text and rfc822 format available.

Reply sent to Emilio Pozuelo Monfort <pochu@ubuntu.com>:
You have taken responsibility. (Tue, 17 Feb 2009 20:15:08 GMT) Full text and rfc822 format available.

Notification sent to Bas van Schaik <bas@tuxes.nl>:
Bug acknowledged by developer. (Tue, 17 Feb 2009 20:15:08 GMT) Full text and rfc822 format available.

Message #45 received at 512191-close@bugs.debian.org (full text, mbox):

From: Emilio Pozuelo Monfort <pochu@ubuntu.com>
To: 512191-close@bugs.debian.org
Subject: Bug#512191: fixed in websvn 2.0-4+lenny1
Date: Tue, 17 Feb 2009 19:52:23 +0000
Source: websvn
Source-Version: 2.0-4+lenny1

We believe that the bug you reported is fixed in the latest version of
websvn, which is due to be installed in the Debian FTP archive:

websvn_2.0-4+lenny1.diff.gz
  to pool/main/w/websvn/websvn_2.0-4+lenny1.diff.gz
websvn_2.0-4+lenny1.dsc
  to pool/main/w/websvn/websvn_2.0-4+lenny1.dsc
websvn_2.0-4+lenny1_all.deb
  to pool/main/w/websvn/websvn_2.0-4+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 512191@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <pochu@ubuntu.com> (supplier of updated websvn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 14 Feb 2009 16:30:02 +0100
Source: websvn
Binary: websvn
Architecture: source all
Version: 2.0-4+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Pierre Chifflier <pollux@debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@ubuntu.com>
Description: 
 websvn     - interface for subversion repositories written in PHP
Closes: 508488 512191
Changes: 
 websvn (2.0-4+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload.
   * debian/patches/12_security_known_path_cve_2009_0240.patch:
     - Backports upstream changes from subversion r635, r636 and r649 to
       fix a security hole where authenticated users can access files
       with known paths. Closes: #512191.
     - Urgency high for the security fix.
     - References: CVE-2009-0240
   * debian/po/es.po:
     - Added Spanish debconf translation, thanks Francisco Javier Cuadrado.
       Closes: #508488.
Checksums-Sha1: 
 2a2a02c893c09c977abd2d240ae127cb345e177c 1291 websvn_2.0-4+lenny1.dsc
 f32e69046626ce3da047617dcd066d304cf4e45d 172005 websvn_2.0.orig.tar.gz
 a55cf7784e37968ce645df393a92b7d957c963cf 21217 websvn_2.0-4+lenny1.diff.gz
 908e7c16f2099f7ac93828d8977fa15da0f4dfd5 194618 websvn_2.0-4+lenny1_all.deb
Checksums-Sha256: 
 a1b703eb036b962341518531a634c659e55edf5d9dc20cb9cc448eb5780433da 1291 websvn_2.0-4+lenny1.dsc
 38104a86d6a90bb3f18a5b0a957b46cf0c1409037bb2a83c09e9f24543cfa2ea 172005 websvn_2.0.orig.tar.gz
 080b93d9ef11c4e83cc27ac817a0476910c9df5b9e99abd7af6556909271f299 21217 websvn_2.0-4+lenny1.diff.gz
 7252b62cada697c9e2140ea31af0283a53cc6281cf6752ae369ee39ff0d37b99 194618 websvn_2.0-4+lenny1_all.deb
Files: 
 3b2910de66eb35b3650558c2a6b70d74 1291 devel optional websvn_2.0-4+lenny1.dsc
 047e02c0fa2948fdf98a3e348e3f1530 172005 devel optional websvn_2.0.orig.tar.gz
 fec9c4c9173ac5da1e6866b6afdb37ff 21217 devel optional websvn_2.0-4+lenny1.diff.gz
 f03bd2f1bf00ee0666368a85faf1a9ef 194618 devel optional websvn_2.0-4+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJl+3AAAoJECIIoQCMVaAc5zAIAJxm47I3p1QlPP0Ik4vGO56c
PNKzg65bSA/YcWnYDSqBjui0N2okvhtYk+NlbuQP8sFZWGsEOU81NUvOP1Dsrx8p
Y0y13K7ytTSkiG6mSHvWQleTrVix7W6hybjg2HXRMMP0RNt93HkUPyc2kvSqyJCu
oHL17nTnPuBUW1uMdrn+BRz/lUlGr0ppokKyy5G2nhcLngUFqnFXeJ9WwE4dmZ5Z
OQH3tA9CXo1LkIgXZ2z/brqmLJfzCEPrhWlKyH2OoW2pzj6c3BSRi5/AcEOqxE3a
bAtkyerX6ONB78kd00hMEFvSD40ViibDkn7mZnhUXKcGjdLHeXP+NbzfDyaD+Ps=
=Fe9H
-----END PGP SIGNATURE-----





Reply sent to Pierre Chifflier <pollux@debian.org>:
You have taken responsibility. (Wed, 25 Feb 2009 16:06:15 GMT) Full text and rfc822 format available.

Notification sent to Bas van Schaik <bas@tuxes.nl>:
Bug acknowledged by developer. (Wed, 25 Feb 2009 16:06:16 GMT) Full text and rfc822 format available.

Message #50 received at 512191-close@bugs.debian.org (full text, mbox):

From: Pierre Chifflier <pollux@debian.org>
To: 512191-close@bugs.debian.org
Subject: Bug#512191: fixed in websvn 2.1.0-1
Date: Wed, 25 Feb 2009 15:22:05 +0000
Source: websvn
Source-Version: 2.1.0-1

We believe that the bug you reported is fixed in the latest version of
websvn, which is due to be installed in the Debian FTP archive:

websvn_2.1.0-1.diff.gz
  to pool/main/w/websvn/websvn_2.1.0-1.diff.gz
websvn_2.1.0-1.dsc
  to pool/main/w/websvn/websvn_2.1.0-1.dsc
websvn_2.1.0-1_all.deb
  to pool/main/w/websvn/websvn_2.1.0-1_all.deb
websvn_2.1.0.orig.tar.gz
  to pool/main/w/websvn/websvn_2.1.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 512191@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Chifflier <pollux@debian.org> (supplier of updated websvn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 25 Feb 2009 14:31:08 +0100
Source: websvn
Binary: websvn
Architecture: source all
Version: 2.1.0-1
Distribution: unstable
Urgency: low
Maintainer: Pierre Chifflier <pollux@debian.org>
Changed-By: Pierre Chifflier <pollux@debian.org>
Description: 
 websvn     - interface for Subversion repositories written in PHP
Closes: 491980 508488 512191
Changes: 
 websvn (2.1.0-1) unstable; urgency=low
 .
   * New Upstream Version (Closes: #491980)
   * Drop following patches, merged upstream:
       10_security_dir_transversal.patch
       11_security_css.patch
       12_security_known_path_cve_2009_0240.patch
   * New patch:
       20_use_global_geshi.patch
       21_fix_conf_file.patch
   * Acknowledge NMU (Thanks Emilio) Closes: #512191, #508488
     - References: CVE-2009-0240
   * Add Homepage field
   * Fix lintian warnings:
     W: websvn: maintainer-script-ignores-errors config
     W: websvn: spelling-error-in-description subversion Subversion
     W: websvn source: patch-system-but-direct-changes-in-diff .pc/.version
     W: websvn source: debhelper-but-no-misc-depends websvn
Checksums-Sha1: 
 03fffd1d6f486dccd142faa1c0914ac3016b13d8 1013 websvn_2.1.0-1.dsc
 55eef34a33271109a9781b392d1684cdfc65a07c 572038 websvn_2.1.0.orig.tar.gz
 2d9144f7e29430d9a1a388c7b16f67e7b6112f36 21642 websvn_2.1.0-1.diff.gz
 6614dcd929221e989b6af8181564b80a504e740b 195470 websvn_2.1.0-1_all.deb
Checksums-Sha256: 
 398d4a68b1ce899ce8ada4845abd1293441c9e037cc7eefecfe3df84e95c256c 1013 websvn_2.1.0-1.dsc
 d201eaf8dcf962c8402c2fdd1a798a5b5d4a9700b20c0dadfd83397ffe15afa6 572038 websvn_2.1.0.orig.tar.gz
 b79f9e30630b7f134128b0f4291204f3cdca28ab73eacb81b4991d54f49c7e11 21642 websvn_2.1.0-1.diff.gz
 e7c963e40cd675560a27e3f626c162fbe851dfce761920f75daf1c604bd1652a 195470 websvn_2.1.0-1_all.deb
Files: 
 6ec940992036352a450a6637975e91d0 1013 devel optional websvn_2.1.0-1.dsc
 0973edc5ca348424104147846b7d7152 572038 devel optional websvn_2.1.0.orig.tar.gz
 2a78f4edb3620c4ab29b99c2c6f5f81d 21642 devel optional websvn_2.1.0-1.diff.gz
 99077bb8d1e2afb2aa5a4df357a2883d 195470 devel optional websvn_2.1.0-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJpVNetwVrWo1fQMsRAvfJAJ0c8dw9SdMGDZ4nKqtwTbAMDA5MgwCg5nMH
Kcf8DrKsZQrOBr+48ev8ZZE=
=401Y
-----END PGP SIGNATURE-----





Reply sent to Emilio Pozuelo Monfort <pochu@ubuntu.com>:
You have taken responsibility. (Sat, 11 Apr 2009 17:33:09 GMT) Full text and rfc822 format available.

Notification sent to Bas van Schaik <bas@tuxes.nl>:
Bug acknowledged by developer. (Sat, 11 Apr 2009 17:33:09 GMT) Full text and rfc822 format available.

Message #55 received at 512191-close@bugs.debian.org (full text, mbox):

From: Emilio Pozuelo Monfort <pochu@ubuntu.com>
To: 512191-close@bugs.debian.org
Subject: Bug#512191: fixed in websvn 2.0-4+lenny1
Date: Sat, 11 Apr 2009 16:47:45 +0000
Source: websvn
Source-Version: 2.0-4+lenny1

We believe that the bug you reported is fixed in the latest version of
websvn, which is due to be installed in the Debian FTP archive:

websvn_2.0-4+lenny1.diff.gz
  to pool/main/w/websvn/websvn_2.0-4+lenny1.diff.gz
websvn_2.0-4+lenny1.dsc
  to pool/main/w/websvn/websvn_2.0-4+lenny1.dsc
websvn_2.0-4+lenny1_all.deb
  to pool/main/w/websvn/websvn_2.0-4+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 512191@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <pochu@ubuntu.com> (supplier of updated websvn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 14 Feb 2009 16:30:02 +0100
Source: websvn
Binary: websvn
Architecture: source all
Version: 2.0-4+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Pierre Chifflier <pollux@debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@ubuntu.com>
Description: 
 websvn     - interface for subversion repositories written in PHP
Closes: 508488 512191
Changes: 
 websvn (2.0-4+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload.
   * debian/patches/12_security_known_path_cve_2009_0240.patch:
     - Backports upstream changes from subversion r635, r636 and r649 to
       fix a security hole where authenticated users can access files
       with known paths. Closes: #512191.
     - Urgency high for the security fix.
     - References: CVE-2009-0240
   * debian/po/es.po:
     - Added Spanish debconf translation, thanks Francisco Javier Cuadrado.
       Closes: #508488.
Checksums-Sha1: 
 2a2a02c893c09c977abd2d240ae127cb345e177c 1291 websvn_2.0-4+lenny1.dsc
 f32e69046626ce3da047617dcd066d304cf4e45d 172005 websvn_2.0.orig.tar.gz
 a55cf7784e37968ce645df393a92b7d957c963cf 21217 websvn_2.0-4+lenny1.diff.gz
 908e7c16f2099f7ac93828d8977fa15da0f4dfd5 194618 websvn_2.0-4+lenny1_all.deb
Checksums-Sha256: 
 a1b703eb036b962341518531a634c659e55edf5d9dc20cb9cc448eb5780433da 1291 websvn_2.0-4+lenny1.dsc
 38104a86d6a90bb3f18a5b0a957b46cf0c1409037bb2a83c09e9f24543cfa2ea 172005 websvn_2.0.orig.tar.gz
 080b93d9ef11c4e83cc27ac817a0476910c9df5b9e99abd7af6556909271f299 21217 websvn_2.0-4+lenny1.diff.gz
 7252b62cada697c9e2140ea31af0283a53cc6281cf6752ae369ee39ff0d37b99 194618 websvn_2.0-4+lenny1_all.deb
Files: 
 3b2910de66eb35b3650558c2a6b70d74 1291 devel optional websvn_2.0-4+lenny1.dsc
 047e02c0fa2948fdf98a3e348e3f1530 172005 devel optional websvn_2.0.orig.tar.gz
 fec9c4c9173ac5da1e6866b6afdb37ff 21217 devel optional websvn_2.0-4+lenny1.diff.gz
 f03bd2f1bf00ee0666368a85faf1a9ef 194618 devel optional websvn_2.0-4+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJl+3AAAoJECIIoQCMVaAc5zAIAJxm47I3p1QlPP0Ik4vGO56c
PNKzg65bSA/YcWnYDSqBjui0N2okvhtYk+NlbuQP8sFZWGsEOU81NUvOP1Dsrx8p
Y0y13K7ytTSkiG6mSHvWQleTrVix7W6hybjg2HXRMMP0RNt93HkUPyc2kvSqyJCu
oHL17nTnPuBUW1uMdrn+BRz/lUlGr0ppokKyy5G2nhcLngUFqnFXeJ9WwE4dmZ5Z
OQH3tA9CXo1LkIgXZ2z/brqmLJfzCEPrhWlKyH2OoW2pzj6c3BSRi5/AcEOqxE3a
bAtkyerX6ONB78kd00hMEFvSD40ViibDkn7mZnhUXKcGjdLHeXP+NbzfDyaD+Ps=
=Fe9H
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 10 May 2009 07:37:30 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 02:18:51 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.