On Sun, May 26, 2019 at 09:07:11PM +0200, Moritz Mühlenhoff wrote: > On Sun, Apr 21, 2019 at 12:32:13AM +0200, Moritz Muehlenhoff wrote: > > Source: mercurial > > Version: 4.8.2-1 > > Severity: grave > > Tags: security > > > > See https://www.mercurial-scm.org/wiki/WhatsNew from 4.9: > > > > This was assigned CVE-2019-3902: > > It was possible to use symlinks and subrepositories to defeat Mercurial's > > path-checking > > logic and write files outside a repository. This has been fixed. Users on > > older versions > > can either disable subrepositories with [subrepos] allowed=false in their > > configuration > > or by ensuring any cloned repositories don't contain malicious symlinks. > > > > This is fixed in sid, but buster still has 4.8.2. > > A month later this is still unfixed in buster. Does anyone care about having > this > in a stable release? Probably not, because noone cared about stretch already > either: > https://security-tracker.debian.org/tracker/source-package/mercurial > So initially my hope was to get 4.9 in buster, however that failed due to reverse deps (hg-git and tortoisehg) not being ready in time.
And since I don't read bug mail I missed your messages here. > If that's the case, let's drop it from buster? > Let's not... I'll see what I can do. Cheers, Julien