Re: squeeze update of mercurial?
On Tue, Jun 02, 2015 at 09:20:57PM +0100, Javi Merino wrote:
> Hi Guido,
> On Fri, May 29, 2015 at 04:01:24PM +0200, Guido Günther wrote:
> > On Wed, May 27, 2015 at 12:16:38PM +0100, Javi Merino wrote:
> > > On Tue, May 12, 2015 at 10:15:38PM +0900, Javi Merino wrote:
> > > > On Mon, May 11, 2015 at 08:42:23PM +0200, Raphael Hertzog wrote:
> > > > > Hello dear maintainer(s),
> > > > >
> > > > > the Debian LTS team would like to fix the security issues which are
> > > > > currently open in the Squeeze version of mercurial:
> > > > > https://security-tracker.debian.org/tracker/CVE-2014-9462
> > > > > https://security-tracker.debian.org/tracker/CVE-2014-9390 (optional, is
> > > > > tagged no-dsa)
> > > > >
> > > > > Would you like to take care of this yourself? We are still understaffed so
> > > > > any help is always highly appreciated.
> > > >
> > > > If you are understaffed I'm happy to help preparing the update. I'll
> > > > hopefully have time to do it tomorrow, I'll claim the DLA when I start
> > > > working on it.
> > >
> > > I've prepared a package for squeeze lts that fixes CVE-2014-9462 and
> > > CVE-2014-9390. Find attached the debdiff.
> > >
> > > I've run the testsuite in a squeeze chroot and it passes, but I'm not
> > > entirely sure that a) I haven't broken anything and b) my backport of
> > > the security fix is valid -- the code has changed a lot between
> > > mercurial 1.6.4 and 3.2.3. I'd appreciate if somebody did some more
> > > testing. The packages can be found in:
> > >
> > > https://people.debian.org/~vicho/mercurial_squeeze/
> > >
> > > Please CC me on replies, I'm not subscribed to the list.
> > I've ported over more of upstream's _serverquote usage since we need to
> > protect the remotecmd and path as well to not stay vulnerable.
> > Furthermore I ported over the test for CVE-2014-9390 and to be sure
> > the issue doesn't creep back in we're running it during the build.
> > I think with these changes we're good to go. Are you handling the
> > upload?
> I'm happy with the changes and the tests. I thought about adding the
> tests, but I had forgotten how the testsuite used to work in those
> days worked and after scratching my head a bit I gave up. Thanks for
> I've added your changes to the svn and ran the testsuite in a squeeze
> chroot. It passed so I've uploaded the package to ftp-master.
Thanks for handling the upload! Shall I handle the security announcement