Bug#773796: wheezy-pu: package mercurial/2.2.2-4

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

Control: tags -1 + moreinfo

Hi,

On 2014-12-23 12:15, Javi Merino wrote:
> mercurial in wheezy is affected by CVE-2014-9390[0] (Errors in
> handling case-sensitive directories allow for remote code execution on
> pull).  The security team says that few users are affected by it as it
> only affects you if you are running on a case-sensitive filesystem.
> They say it should go through stable-proposed-updates.
>
> Upstream has said that three patches[1] need to be backported to fix
> it.  I've done it for wheezy and prepared an upload, see the attached
> debdiff against the current version in wheezy: 2.2.2-3.
>
> [0] https://security-tracker.debian.org/tracker/CVE-2014-9390
> [1] 
> http://selenic.com/pipermail/mercurial-packaging/2014-December/000133.html

Thanks for looking at fixing this in stable.

The patches look okay, but it appears that this hasn't been fixed in 
unstable yet. Is that correct? If so then we generally prefer to get 
unstable fixed first, so that the changes can get some testing there.

Regards,

Adam