Upgrade Subversion 1.13 to 1.14 LTS ( Ubuntu 20.04.5)
77 views
Skip to first unread message
JITHIN K
Oct 23, 2023, 11:54:54 AM10/23/23
to us...@subversion.apache.org
Hello Team,
Is there any recommended upgrading instruction for upgrading Subversion 1.13 to 1.14 LTS in Ubuntu 20.04.5.
Regards,
Jithin K
Yasuhito FUTATSUKI
Oct 25, 2023, 6:51:59 PM10/25/23
to JITHIN K, us...@subversion.apache.org
Hello,
On 2023/10/24 0:53, JITHIN K wrote:
> Hello Team,
We are not the team, but users' community, I think.
> Is there any recommended upgrading instruction for upgrading Subversion
> 1.13 to 1.14 LTS in Ubuntu 20.04.5.
It depends on your background: how you installed Subversion 1.13,
how you want to manage installed software, which you are using
programs depends on Subversion SWIG Python 2 bindings or not(*1),
how did you manage dependency of the software libraries, what you
installed on your Ubuntu 20.04.5 environment, etc.
(*1) Subversion 1.14.x still supports SWIG Python 2 bindings,
but to build it from the release tarball, it needs extra software
dependency and extra steps.
If you installed Subversion 1.13 and all other softwares from
the Ubuntu's package repository and also other softwares, and
there is no problem on upgrading to Ubuntu 22.04 LTS, it may
be easiest way. However I can't see you have no problem on upgrading
or not.
Cheers,
--
Yasuhito FUTATSUKI <futa...@poem.co.jp>/<futa...@yf.bsdclub.org>
On 2023/10/24 0:53, JITHIN K wrote:
> Hello Team,
We are not the team, but users' community, I think.
> Is there any recommended upgrading instruction for upgrading Subversion
> 1.13 to 1.14 LTS in Ubuntu 20.04.5.
how you want to manage installed software, which you are using
programs depends on Subversion SWIG Python 2 bindings or not(*1),
how did you manage dependency of the software libraries, what you
installed on your Ubuntu 20.04.5 environment, etc.
(*1) Subversion 1.14.x still supports SWIG Python 2 bindings,
but to build it from the release tarball, it needs extra software
dependency and extra steps.
If you installed Subversion 1.13 and all other softwares from
the Ubuntu's package repository and also other softwares, and
there is no problem on upgrading to Ubuntu 22.04 LTS, it may
be easiest way. However I can't see you have no problem on upgrading
or not.
Cheers,
--
Yasuhito FUTATSUKI <futa...@poem.co.jp>/<futa...@yf.bsdclub.org>
Yasuhito FUTATSUKI
Oct 26, 2023, 7:13:56 AM10/26/23
to us...@subversion.apache.org, JITHIN K
The message below seem to be intended to be sent not to me but
the to users@ list, so I forward.
-- Yasuhito FUTATSUKI
-------- Forwarded Message --------
Return-Path: <jith...@gmail.com>
References: <CABe_ZfK_zJ7Q7+1hnSsaLFJb...@mail.gmail.com> <6cdf06d3-7080-8edc...@poem.co.jp>
In-Reply-To: <6cdf06d3-7080-8edc...@poem.co.jp>
From: JITHIN K <jith...@gmail.com>
Date: Thu, 26 Oct 2023 15:42:07 +0530
Message-ID: <CABe_ZfKOwhjzgWfi7LviXTAU+WR32jQKqNTprezvXLdk=0U...@mail.gmail.com>
Subject: Re: Upgrade Subversion 1.13 to 1.14 LTS ( Ubuntu 20.04.5)
To: Yasuhito FUTATSUKI <futa...@poem.co.jp>
Hello Users Community,
Hope you are doing great.
I have installed Apache Subversion 1.13 in Ubuntu 20.04.5 using apt-get (
From Ubuntu package ) and also installed libapache2-mod-svn.
I do not have any plan to upgrade the OS to Ubuntu 22.04. I am looking if I
use apt-get upgrade subversion will automatically upgrade Subversion to
1.14 and also upgrade the library.
On Thu, Oct 26, 2023 at 4:01 AM Yasuhito FUTATSUKI <futa...@poem.co.jp>
wrote:
the to users@ list, so I forward.
-- Yasuhito FUTATSUKI
-------- Forwarded Message --------
Return-Path: <jith...@gmail.com>
References: <CABe_ZfK_zJ7Q7+1hnSsaLFJb...@mail.gmail.com> <6cdf06d3-7080-8edc...@poem.co.jp>
In-Reply-To: <6cdf06d3-7080-8edc...@poem.co.jp>
From: JITHIN K <jith...@gmail.com>
Date: Thu, 26 Oct 2023 15:42:07 +0530
Message-ID: <CABe_ZfKOwhjzgWfi7LviXTAU+WR32jQKqNTprezvXLdk=0U...@mail.gmail.com>
Subject: Re: Upgrade Subversion 1.13 to 1.14 LTS ( Ubuntu 20.04.5)
To: Yasuhito FUTATSUKI <futa...@poem.co.jp>
Hello Users Community,
Hope you are doing great.
I have installed Apache Subversion 1.13 in Ubuntu 20.04.5 using apt-get (
From Ubuntu package ) and also installed libapache2-mod-svn.
I do not have any plan to upgrade the OS to Ubuntu 22.04. I am looking if I
use apt-get upgrade subversion will automatically upgrade Subversion to
1.14 and also upgrade the library.
On Thu, Oct 26, 2023 at 4:01 AM Yasuhito FUTATSUKI <futa...@poem.co.jp>
wrote:
Nathan Hartman
Oct 26, 2023, 8:07:56 AM10/26/23
to us...@subversion.apache.org, JITHIN K
-------- Forwarded Message --------
(snip headers)
Hello Users Community,
Hope you are doing great.
I have installed Apache Subversion 1.13 in Ubuntu 20.04.5 using apt-get (
From Ubuntu package ) and also installed libapache2-mod-svn.
I do not have any plan to upgrade the OS to Ubuntu 22.04. I am looking if I
use apt-get upgrade subversion will automatically upgrade Subversion to
1.14 and also upgrade the library.
Not by default (however see below): Generally, once a Ubuntu release line like 20.04.x is made, software in the Ubuntu package repositories will get only bug fixes and security fixes, not new features. This means that the Subversion packages will remain at 1.13.x for Ubuntu 20.04.x when using the default package repositories.
However, it is likely that Ubuntu's backports repositories have the newer Subversion 1.14.x releases. The backports repositories are the preferred way to install newer releases of software packages on older releases of Ubuntu.
I haven't used Ubuntu in many years so I cannot give detailed steps, but this documentation looks promising:
Hope this helps,
Nathan
Mark Phippard
Oct 26, 2023, 10:06:11 AM10/26/23
to Nathan Hartman, us...@subversion.apache.org, JITHIN K
On Thu, Oct 26, 2023 at 9:59 AM Nathan Hartman <hartman...@gmail.com> wrote:
>>
>> -------- Forwarded Message --------
>
> (snip headers)
>>
>>
>> Hello Users Community,
>>
>> Hope you are doing great.
>> I have installed Apache Subversion 1.13 in Ubuntu 20.04.5 using apt-get (
>> From Ubuntu package ) and also installed libapache2-mod-svn.
>> I do not have any plan to upgrade the OS to Ubuntu 22.04. I am looking if I
>> use apt-get upgrade subversion will automatically upgrade Subversion to
>> 1.14 and also upgrade the library.
>
>
>
> Not by default (however see below): Generally, once a Ubuntu release line like 20.04.x is made, software in the Ubuntu package repositories will get only bug fixes and security fixes, not new features. This means that the Subversion packages will remain at 1.13.x for Ubuntu 20.04.x when using the default package repositories.
>
> However, it is likely that Ubuntu's backports repositories have the newer Subversion 1.14.x releases. The backports repositories are the preferred way to install newer releases of software packages on older releases of Ubuntu.
I would add that I do not believe there are compelling reasons to
>>
>> -------- Forwarded Message --------
>
> (snip headers)
>>
>>
>> Hello Users Community,
>>
>> Hope you are doing great.
>> I have installed Apache Subversion 1.13 in Ubuntu 20.04.5 using apt-get (
>> From Ubuntu package ) and also installed libapache2-mod-svn.
>> I do not have any plan to upgrade the OS to Ubuntu 22.04. I am looking if I
>> use apt-get upgrade subversion will automatically upgrade Subversion to
>> 1.14 and also upgrade the library.
>
>
>
> Not by default (however see below): Generally, once a Ubuntu release line like 20.04.x is made, software in the Ubuntu package repositories will get only bug fixes and security fixes, not new features. This means that the Subversion packages will remain at 1.13.x for Ubuntu 20.04.x when using the default package repositories.
>
> However, it is likely that Ubuntu's backports repositories have the newer Subversion 1.14.x releases. The backports repositories are the preferred way to install newer releases of software packages on older releases of Ubuntu.
upgrade from 1.13 to 1.14 if your distro hasn't. I would recommend
sticking with what your distro is providing unless there is some
highly compelling reason to install your own package. This is
especially true on a server.
If you really have a need for 1.14, I would upgrade your entire distro
to a version that provides it.
Mark
JITHIN K
Oct 30, 2023, 9:32:59 AM10/30/23
to Mark Phippard, Nathan Hartman, us...@subversion.apache.org
Hello Mark,
As per my understanding, Subversion 1.13 is no longer supported and no security patches have been released for the following items in Subversion 1.13.
- CVE-2020-17525: Denial of service vulnerability in mod_authz_svn module. This vulnerability can be exploited by an attacker to cause Apache Subversion to crash.
- CVE-2021-21298: Insecure deserialization vulnerability in libsvn_xml library. This vulnerability can be exploited by an attacker to execute arbitrary code on the Subversion server.
- CVE-2021-21297: Heap-based buffer overflow vulnerability in libsvn_fs_x library. This vulnerability can be exploited by an attacker to execute arbitrary code on the Subversion server.
- CVE-2021-21296: Integer overflow vulnerability in libsvn_diff library. This vulnerability can be exploited by an attacker to cause Apache Subversion to crash.
This is the reason why I am looking for an upgrade to Subversion 1.14.5
Thank you.
Mark Phippard
Oct 30, 2023, 9:53:26 AM10/30/23
to JITHIN K, Nathan Hartman, us...@subversion.apache.org
Generally speaking, you do not need to worry about this when using a
supported distro like Ubuntu. While they do not update to new versions
of a package like Subversion, they do their own backporting of
security and other important fixes to the version in their distro. So
the 1.13 that is in Ubuntu is not exactly equivalent to Subversion
1.13. It is really 1.13 + all fixes that Ubuntu thinks they should
backport. You can see the changelog here and these fixes have all
been backported:
http://changelogs.ubuntu.com/changelogs/pool/universe/s/subversion/subversion_1.13.0-3ubuntu0.2/changelog
This is true across ALL the packages that the distro provides.
It is not that I do not think upgrading to 1.14 has some value, it is
that in general I do not recommend fighting against your distro. Use
the packages they provide and support. The distro is your real source
of support, not all the OSS projects that are packaged into it.
Mark
supported distro like Ubuntu. While they do not update to new versions
of a package like Subversion, they do their own backporting of
security and other important fixes to the version in their distro. So
the 1.13 that is in Ubuntu is not exactly equivalent to Subversion
1.13. It is really 1.13 + all fixes that Ubuntu thinks they should
backport. You can see the changelog here and these fixes have all
been backported:
http://changelogs.ubuntu.com/changelogs/pool/universe/s/subversion/subversion_1.13.0-3ubuntu0.2/changelog
This is true across ALL the packages that the distro provides.
It is not that I do not think upgrading to 1.14 has some value, it is
that in general I do not recommend fighting against your distro. Use
the packages they provide and support. The distro is your real source
of support, not all the OSS projects that are packaged into it.
Mark
JITHIN K
Nov 1, 2023, 11:06:40 AM11/1/23
to Mark Phippard, Nathan Hartman, us...@subversion.apache.org
Hello Mark,
Thank you and appreciate your email.
The Subversion version in my Ubuntu server is 1.13.0-3ubuntu0.2 and when I check the change log https://changelogs.ubuntu.com/changelogs/pool/universe/s/subversion/subversion_1.13.0-3ubuntu0.2/changelog
I could see that security update for CVE-2020-17525 included in the 1.13.0-3ubuntu0.2 but patches for other three were not included (CVE-2021-21298 ,CVE-2021-21297,CVE-2021-21296). Does that mean in the next Ubuntu 20.04.x release they include patches for these vulnerabilities?
Thanks. Regards Jithin
Reply all
Reply to author
Forward
0 new messages