Re: squeeze update of mercurial?
Hi Javi,
On Wed, May 27, 2015 at 12:16:38PM +0100, Javi Merino wrote:
> [Dropping python-apps-team]
>
> Hi debian-lts,
>
> On Tue, May 12, 2015 at 10:15:38PM +0900, Javi Merino wrote:
> > Hi Raphael,
> >
> > On Mon, May 11, 2015 at 08:42:23PM +0200, Raphael Hertzog wrote:
> > > Hello dear maintainer(s),
> > >
> > > the Debian LTS team would like to fix the security issues which are
> > > currently open in the Squeeze version of mercurial:
> > > https://security-tracker.debian.org/tracker/CVE-2014-9462
> > > https://security-tracker.debian.org/tracker/CVE-2014-9390 (optional, is
> > > tagged no-dsa)
> > >
> > > Would you like to take care of this yourself? We are still understaffed so
> > > any help is always highly appreciated.
> >
> > If you are understaffed I'm happy to help preparing the update. I'll
> > hopefully have time to do it tomorrow, I'll claim the DLA when I start
> > working on it.
>
> I've prepared a package for squeeze lts that fixes CVE-2014-9462 and
> CVE-2014-9390. Find attached the debdiff.
>
> I've run the testsuite in a squeeze chroot and it passes, but I'm not
> entirely sure that a) I haven't broken anything and b) my backport of
> the security fix is valid -- the code has changed a lot between
> mercurial 1.6.4 and 3.2.3. I'd appreciate if somebody did some more
> testing. The packages can be found in:
>
> https://people.debian.org/~vicho/mercurial_squeeze/
I'm happy to test this since I already had a look at the CVEs. But I
won't get around to it before Friday. I'll just check if the DLA is out
until then and if now will do the testing and report back.
Cheers,
-- Guido
Reply to: