Re: squeeze update of mercurial?

To: debian-lts@lists.debian.org
Cc: Guido Günther <agx@sigxcpu.org>
Subject: Re: squeeze update of mercurial?
From: Javi Merino <vicho@debian.org>
Date: Wed, 27 May 2015 12:16:38 +0100
Message-id: <[🔎] 20150527111638.GA27075@tesla>
In-reply-to: <[🔎] 20150512131538.GA8870@tesla>
References: <[🔎] 20150511184223.GA29821@home.ouaza.com> <[🔎] 20150512131538.GA8870@tesla>

[Dropping python-apps-team]

Hi debian-lts,

On Tue, May 12, 2015 at 10:15:38PM +0900, Javi Merino wrote:
> Hi Raphael,
> 
> On Mon, May 11, 2015 at 08:42:23PM +0200, Raphael Hertzog wrote:
> > Hello dear maintainer(s),
> > 
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Squeeze version of mercurial:
> > https://security-tracker.debian.org/tracker/CVE-2014-9462
> > https://security-tracker.debian.org/tracker/CVE-2014-9390 (optional, is
> > tagged no-dsa)
> > 
> > Would you like to take care of this yourself? We are still understaffed so
> > any help is always highly appreciated.
> 
> If you are understaffed I'm happy to help preparing the update.  I'll
> hopefully have time to do it tomorrow, I'll claim the DLA when I start
> working on it.

I've prepared a package for squeeze lts that fixes CVE-2014-9462 and
CVE-2014-9390.  Find attached the debdiff.

I've run the testsuite in a squeeze chroot and it passes, but I'm not
entirely sure that a) I haven't broken anything and b) my backport of
the security fix is valid -- the code has changed a lot between
mercurial 1.6.4 and 3.2.3.  I'd appreciate if somebody did some more
testing.  The packages can be found in:

https://people.debian.org/~vicho/mercurial_squeeze/

Please CC me on replies, I'm not subscribed to the list.

Cheers,
Javi

File lists identical (after any substitutions)

Control files of package mercurial: lines which differ (wdiff format)
---------------------------------------------------------------------
Architecture: [-i386-] {+amd64+}
Depends: libc6 (>= 2.4), python (<< 2.7), python (>= 2.5), python-support (>= 0.90.0), ucf (>= 2.0020), mercurial-common (= [-1.6.4-1)-] {+1.6.4-1+deb6u1)+}
 [-.-]
 {+..+}
Installed-Size: [-328-] {+368+}
Version: [-1.6.4-1-] {+1.6.4-1+deb6u1+}

Control files of package mercurial-common: lines which differ (wdiff format)
----------------------------------------------------------------------------
Breaks: mercurial (<< [-1.6.4-1)-] {+1.6.4-1+deb6u1)+}
 [-.-]
 {+..+}
Installed-Size: [-5064-] {+5068+}
Recommends: mercurial (= [-1.6.4-1)-] {+1.6.4-1+deb6u1)+}
Version: [-1.6.4-1-] {+1.6.4-1+deb6u1+}

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: squeeze update of mercurial?
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: squeeze update of mercurial?
  - From: Guido Günther <agx@sigxcpu.org>
- Re: squeeze update of mercurial?
  - From: Guido Günther <agx@sigxcpu.org>

References:
- squeeze update of mercurial?
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: squeeze update of mercurial?
  - From: Javi Merino <vicho@debian.org>

Prev by Date: Re: Bug#773834: Preparing a release for stable and lts
Next by Date: Re: squeeze update of mercurial?
Previous by thread: Re: squeeze update of mercurial?
Next by thread: Re: squeeze update of mercurial?
Index(es):
- Date
- Thread