Mercurial 3.2.3 released (security fix)
Javi Merino
vicho at debian.org
Sun Dec 21 19:39:05 UTC 2014
Hi Matt,
On Thu, Dec 18, 2014 at 03:01:24PM -0600, Matt Mackall wrote:
> This addresses some issues we discovered in Git and Mercurial for
> CVE-2014-9390. Please update your package builds as soon as possible.
Distributions like Debian and Ubuntu have stable releases that fix
security issues by applying the "minimum" changes possible to the
released version instead of upgrading to the latest version. Jamie
(CCed) has backported these changesets to fix this CVE in Ubuntu[0]:
- http://selenic.com/repo/hg-stable/rev/035434b407be
- http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3
- http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e
- http://selenic.com/repo/hg-stable/rev/7a5bcd471f2e
- http://selenic.com/repo/hg-stable/rev/6dad422ecc5a
[0] https://launchpadlibrarian.net/193058010/mercurial_3.1.2-1ubuntu1_source.changes
To me it looks like 7a5bcd471f2e (darwin: omit ignorable codepoints
when normcase()ing a file path) is not needed for Linux as its
codepath is only triggered "if sys.platform == 'darwin':". Are these
the correct ones or are we missing some?
Thanks,
Javi
More information about the Mercurial-packaging
mailing list