Hi Guido, On Wed, Jun 03, 2015 at 08:17:13AM +0200, Guido Günther wrote: > On Tue, Jun 02, 2015 at 09:20:57PM +0100, Javi Merino wrote: > > On Fri, May 29, 2015 at 04:01:24PM +0200, Guido Günther wrote: > > > On Wed, May 27, 2015 at 12:16:38PM +0100, Javi Merino wrote: > > > > On Tue, May 12, 2015 at 10:15:38PM +0900, Javi Merino wrote: > > > > > On Mon, May 11, 2015 at 08:42:23PM +0200, Raphael Hertzog wrote: > > > > > > Hello dear maintainer(s), > > > > > > > > > > > > the Debian LTS team would like to fix the security issues which are > > > > > > currently open in the Squeeze version of mercurial: > > > > > > https://security-tracker.debian.org/tracker/CVE-2014-9462 > > > > > > https://security-tracker.debian.org/tracker/CVE-2014-9390 (optional, is > > > > > > tagged no-dsa) > > > > > > > > > > > > Would you like to take care of this yourself? We are still understaffed so > > > > > > any help is always highly appreciated. > > > > > > > > > > If you are understaffed I'm happy to help preparing the update. I'll > > > > > hopefully have time to do it tomorrow, I'll claim the DLA when I start > > > > > working on it. > > > > > > > > I've prepared a package for squeeze lts that fixes CVE-2014-9462 and > > > > CVE-2014-9390. Find attached the debdiff. > > > > > > > > I've run the testsuite in a squeeze chroot and it passes, but I'm not > > > > entirely sure that a) I haven't broken anything and b) my backport of > > > > the security fix is valid -- the code has changed a lot between > > > > mercurial 1.6.4 and 3.2.3. I'd appreciate if somebody did some more > > > > testing. The packages can be found in: > > > > > > > > https://people.debian.org/~vicho/mercurial_squeeze/ > > > > > > > > Please CC me on replies, I'm not subscribed to the list. > > > > > > I've ported over more of upstream's _serverquote usage since we need to > > > protect the remotecmd and path as well to not stay vulnerable. > > > > > > Furthermore I ported over the test for CVE-2014-9390 and to be sure > > > the issue doesn't creep back in we're running it during the build. > > > > > > I think with these changes we're good to go. Are you handling the > > > upload? > > > > I'm happy with the changes and the tests. I thought about adding the > > tests, but I had forgotten how the testsuite used to work in those > > days worked and after scratching my head a bit I gave up. Thanks for > > those. > > > > I've added your changes to the svn and ran the testsuite in a squeeze > > chroot. It passed so I've uploaded the package to ftp-master. > > Thanks for handling the upload! Shall I handle the security announcement > (DLA)? Yes, please. I had completely forgotten about it. Thanks, Javi
Attachment:
signature.asc
Description: Digital signature