On Fri, May 01, 2015 at 08:53:28PM +0200, Alessandro Ghedini wrote: > On Fri, May 01, 2015 at 07:16:07PM +0100, Javi Merino wrote: > > On Fri, Apr 24, 2015 at 01:21:56PM +0200, Moritz Muehlenhoff wrote: > > > Package: mercurial > > > Severity: important > > > Tags: security > > > > > > Please see > > > http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html > > > > > > Fix: > > > http://selenic.com/hg/rev/e3f30068d2eb > > > > I've prepared a fix for this, find the diff attached. Can I upload it > > to stable-security? > > > Index: debian/changelog > > =================================================================== > > --- debian/changelog (revisión: 11645) > > +++ debian/changelog (copia de trabajo) > > @@ -1,3 +1,11 @@ > > +mercurial (3.1.2-2+deb8u1) stable-security; urgency=high > > Please use jessie-security instead of stable-security.
Ok > Otherwise the upload looks good. Once the above is fixed you can go ahead and > upload to security-master. Remember to build the package with full upstream > sources (dpkg-buildpackage -sa), since this would be the first upload to > jessie-security for mercurial. Uploaded with full upstream sources. > Also, the vulnerability seems to affect the wheezy version as well, could you > please prepare an upload targeting wheezy-security as well? Sure, I'll do that soon. Cheers, Javi
signature.asc
Description: Digital signature