Your message dated Fri, 11 Aug 2017 10:19:32 +0000
with message-id <e1dg72s-0006k5...@fasolo.debian.org>
and subject line Bug#871710: fixed in mercurial 4.3.1-1
has caused the Debian Bug report #871710,
regarding mercurial: CVE-2017-1000116: command injection on clients through
malicious ssh URLs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
871710: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871710
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: mercurial
Version: 4.0-1
Severity: grave
Tags: upstream security
Hi,
the following vulnerability was published for mercurial.
CVE-2017-1000116[0]:
command injection on clients through malicious ssh URLs
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-1000116
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mercurial
Source-Version: 4.3.1-1
We believe that the bug you reported is fixed in the latest version of
mercurial, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 871...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tristan Seligmann <mithra...@debian.org> (supplier of updated mercurial package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 11 Aug 2017 05:00:16 +0200
Source: mercurial
Binary: mercurial-common mercurial
Architecture: source
Version: 4.3.1-1
Distribution: unstable
Urgency: high
Maintainer: Python Applications Packaging Team
<python-apps-t...@lists.alioth.debian.org>
Changed-By: Tristan Seligmann <mithra...@debian.org>
Description:
mercurial - easy-to-use, scalable distributed version control system
mercurial-common - easy-to-use, scalable distributed version control system
(common
Closes: 861243 868014 871709 871710
Changes:
mercurial (4.3.1-1) unstable; urgency=high
.
* Urgency high because of important security fixes.
* New upstream release (closes: #868014).
- CVE-2017-1000115: Mercurial's symlink auditing was incomplete prior
to 4.3, and could be abused to write to files outside the
repository (closes: #871709).
- CVE-2017-1000116: Mercurial was not sanitizing hostnames passed to
ssh, allowing shell injection attacks by specifying a hostname
starting with -oProxyCommand (closes: #871710).
- CVE-2017-9462: previously fixed in 4.1.3 upstream (closes: #861243).
* Blacklist test-https.t due to TLS 1.0/1.1 being disabled in OpenSSL in
unstable.
* Fix license definitions in debian/copyright.
* Bump Standards-Version to 4.0.0 (no changes).
* Run wrap-and-sort -t -s.
Checksums-Sha1:
57dc975c17618107ecb3d528e3fd861ea444b13f 2225 mercurial_4.3.1-1.dsc
06cde0a5d555d5c62bb7f791409fd91910c28553 5475042 mercurial_4.3.1.orig.tar.gz
75081b06541acd75272849b335ace0b956bfdc3e 54052 mercurial_4.3.1-1.debian.tar.xz
f4c8f729dd7902939cdb4bb9960193f7fac53ead 6564
mercurial_4.3.1-1_source.buildinfo
Checksums-Sha256:
5f8e9e8ba017f4a4fac3895dad636457c91b69ff4eab0193ad8b46736b351133 2225
mercurial_4.3.1-1.dsc
2b12f02e3a452adff4ec9cf007017bab0cadb3f37eaf12f4b25a662df73618a2 5475042
mercurial_4.3.1.orig.tar.gz
451bbaf7dca2d99c2c2eb18a4e275f06b7abf5f5784b08d3caf045d38d5b1832 54052
mercurial_4.3.1-1.debian.tar.xz
c4731ef459b2c8c5052e1ddd3340ed1a50a3f45b527f519be7a9cc10ea813faf 6564
mercurial_4.3.1-1_source.buildinfo
Files:
b597cc62d5e567d9f08dad59d0e0ab64 2225 vcs optional mercurial_4.3.1-1.dsc
b9cbdcf0bd41a2b385b35b9fbfeb0eea 5475042 vcs optional
mercurial_4.3.1.orig.tar.gz
3d5ba7aa476ab96bbcb55cb4094786af 54052 vcs optional
mercurial_4.3.1-1.debian.tar.xz
e72925b9e61deb79b06af897182a98c6 6564 vcs optional
mercurial_4.3.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQGpBAEBCgCTFiEEXAZWhXVRbQoz/6ejwImQ+x9jeJMFAlmNgVBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDVD
MDY1Njg1NzU1MTZEMEEzM0ZGQTdBM0MwODk5MEZCMUY2Mzc4OTMVHG1pdGhyYW5k
aUBkZWJpYW4ub3JnAAoJEMCJkPsfY3iT+RgIAK/PRNDVfhalbNjeY3e4pQUslNeD
NOuUoi7ViMfpPUnmkLy4N+TFNm6yj52o0e/RUSB6qS6KumfybIYnMnifIzxbip4U
YNKrl5drg2CHZYgTrfG+cHJEDKHiibbH2yZ0m0zqcKqxpEJKAPZLekCmLgy4bAi4
4iPYlXKEugRaiyCx2yteoaqDp1fPrpE4yhZCYUqH6YayLwSWeYo4ViGGGxQwOE7G
wRlUSSXIy9mZEhj3DJwgWgtKJQrYIV1mwWatB8ObzSzn0ArVMO/VukyL7rbsRNUY
fWzC8eh6Hs2GlU0pNaeV6SxHOPXfTqvwvFcFuf80wv0CdxZaCXLZOyXNEok=
=Nttf
-----END PGP SIGNATURE-----
--- End Message ---