Control: tags -1 + moreinfo
Hi,
On 2014-12-23 12:15, Javi Merino wrote:
mercurial in wheezy is affected by CVE-2014-9390[0] (Errors in
handling case-sensitive directories allow for remote code execution on
pull). The security team says that few users are affected by it as it
only affects you if you are running on a case-sensitive filesystem.
They say it should go through stable-proposed-updates.
Upstream has said that three patches[1] need to be backported to fix
it. I've done it for wheezy and prepared an upload, see the attached
debdiff against the current version in wheezy: 2.2.2-3.
[0] https://security-tracker.debian.org/tracker/CVE-2014-9390
[1]
http://selenic.com/pipermail/mercurial-packaging/2014-December/000133.html
Thanks for looking at fixing this in stable.
The patches look okay, but it appears that this hasn't been fixed in
unstable yet. Is that correct? If so then we generally prefer to get
unstable fixed first, so that the changes can get some testing there.
Regards,
Adam
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/aef1dcf938d92ba34b48fab97ddd8...@mail.adsl.funky-badger.org
