Please see the URL. Reproducible: Didn't try Steps to Reproduce: Patch available here: http://bugs.debian.org/cgi-bin/bugreport.cgi/neon26_0.26.2-3_to_mdx1.diff?bug=404723;msg=5;att=2 Is this upstream? Do we need GLSA for that?
it's a client-side DoS, usually we don't handle client-side DoS since a bad URI is also a form of disruption of service. But thanks a lot for the report, Kalin. Reassigning to the maintainer as a non-security bug.
And reassiging. Paul is not the real maintainer, but... who else? There is no upstream fixed release according to http://www.webdav.org/neon/ A proposed patch is provided in the debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi/neon26_0.26.2-3_to_mdx1.diff?bug=404723;msg=5;att=2 Paul, act as you want :)
bumped to 0.26.3 at least
fixed in 0.26.4