CVE-2021-28544

Name	CVE-2021-28544
Description	Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-5119-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
subversion (PTS)	jessie, jessie (lts)	1.8.10-6+deb8u7	fixed
	stretch (security), stretch (lts), stretch	1.9.5-1+deb9u6	fixed
	buster, buster (security)	1.10.4-1+deb10u3	fixed
	bullseye (security), bullseye	1.14.1-3+deb11u1	fixed
	bookworm	1.14.2-4	fixed
	trixie, sid	1.14.3-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
subversion	source	jessie	(not affected)
subversion	source	stretch	(not affected)
subversion	source	buster	1.10.4-1+deb10u3	DSA-5119-1
subversion	source	bullseye	1.14.1-3+deb11u1	DSA-5119-1
subversion	source	(unstable)	1.14.2-1

Notes

[stretch] - subversion <not-affected> (New upstream regression/unit test passes, so no leak in this version)
https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
[jessie] - subversion <not-affected> (New upstream regression/unit test passes, so no leak in this version)