[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: squeeze update of mercurial?

[Dropping python-apps-team]

Hi debian-lts,

On Tue, May 12, 2015 at 10:15:38PM +0900, Javi Merino wrote:
> Hi Raphael,
> On Mon, May 11, 2015 at 08:42:23PM +0200, Raphael Hertzog wrote:
> > Hello dear maintainer(s),
> > 
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Squeeze version of mercurial:
> > https://security-tracker.debian.org/tracker/CVE-2014-9462
> > https://security-tracker.debian.org/tracker/CVE-2014-9390 (optional, is
> > tagged no-dsa)
> > 
> > Would you like to take care of this yourself? We are still understaffed so
> > any help is always highly appreciated.
> If you are understaffed I'm happy to help preparing the update.  I'll
> hopefully have time to do it tomorrow, I'll claim the DLA when I start
> working on it.

I've prepared a package for squeeze lts that fixes CVE-2014-9462 and
CVE-2014-9390.  Find attached the debdiff.

I've run the testsuite in a squeeze chroot and it passes, but I'm not
entirely sure that a) I haven't broken anything and b) my backport of
the security fix is valid -- the code has changed a lot between
mercurial 1.6.4 and 3.2.3.  I'd appreciate if somebody did some more
testing.  The packages can be found in:


Please CC me on replies, I'm not subscribed to the list.

File lists identical (after any substitutions)

Control files of package mercurial: lines which differ (wdiff format)
Architecture: [-i386-] {+amd64+}
Depends: libc6 (>= 2.4), python (<< 2.7), python (>= 2.5), python-support (>= 0.90.0), ucf (>= 2.0020), mercurial-common (= [-1.6.4-1)-] {+1.6.4-1+deb6u1)+}
Installed-Size: [-328-] {+368+}
Version: [-1.6.4-1-] {+1.6.4-1+deb6u1+}

Control files of package mercurial-common: lines which differ (wdiff format)
Breaks: mercurial (<< [-1.6.4-1)-] {+1.6.4-1+deb6u1)+}
Installed-Size: [-5064-] {+5068+}
Recommends: mercurial (= [-1.6.4-1)-] {+1.6.4-1+deb6u1)+}
Version: [-1.6.4-1-] {+1.6.4-1+deb6u1+}

Attachment: signature.asc
Description: Digital signature

Reply to: