Hi Guido, On Wed, May 27, 2015 at 07:06:05PM +0200, Guido Günther wrote: > On Wed, May 27, 2015 at 12:16:38PM +0100, Javi Merino wrote: > > [Dropping python-apps-team] > > > > Hi debian-lts, > > > > On Tue, May 12, 2015 at 10:15:38PM +0900, Javi Merino wrote: > > > Hi Raphael, > > > > > > On Mon, May 11, 2015 at 08:42:23PM +0200, Raphael Hertzog wrote: > > > > Hello dear maintainer(s), > > > > > > > > the Debian LTS team would like to fix the security issues which are > > > > currently open in the Squeeze version of mercurial: > > > > https://security-tracker.debian.org/tracker/CVE-2014-9462 > > > > https://security-tracker.debian.org/tracker/CVE-2014-9390 (optional, is > > > > tagged no-dsa) > > > > > > > > Would you like to take care of this yourself? We are still understaffed so > > > > any help is always highly appreciated. > > > > > > If you are understaffed I'm happy to help preparing the update. I'll > > > hopefully have time to do it tomorrow, I'll claim the DLA when I start > > > working on it. > > > > I've prepared a package for squeeze lts that fixes CVE-2014-9462 and > > CVE-2014-9390. Find attached the debdiff. > > > > I've run the testsuite in a squeeze chroot and it passes, but I'm not > > entirely sure that a) I haven't broken anything and b) my backport of > > the security fix is valid -- the code has changed a lot between > > mercurial 1.6.4 and 3.2.3. I'd appreciate if somebody did some more > > testing. The packages can be found in: > > > > https://people.debian.org/~vicho/mercurial_squeeze/ > > I'm happy to test this since I already had a look at the CVEs. But I > won't get around to it before Friday. I'll just check if the DLA is out > until then and if now will do the testing and report back. No problem, I'll hold the upload until the weekend. Thanks! Javi
Attachment:
signature.asc
Description: Digital signature