[Python-apps-team] Bug#783237: CVE-2014-9462
Javi Merino
vicho at debian.org
Sat May 2 08:04:42 UTC 2015
On Fri, May 01, 2015 at 08:53:28PM +0200, Alessandro Ghedini wrote:
> On Fri, May 01, 2015 at 07:16:07PM +0100, Javi Merino wrote:
> > On Fri, Apr 24, 2015 at 01:21:56PM +0200, Moritz Muehlenhoff wrote:
> > > Package: mercurial
> > > Severity: important
> > > Tags: security
> > >
> > > Please see
> > > http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html
> > >
> > > Fix:
> > > http://selenic.com/hg/rev/e3f30068d2eb
> >
> > I've prepared a fix for this, find the diff attached. Can I upload it
> > to stable-security?
>
> > Index: debian/changelog
> > ===================================================================
> > --- debian/changelog (revisión: 11645)
> > +++ debian/changelog (copia de trabajo)
> > @@ -1,3 +1,11 @@
> > +mercurial (3.1.2-2+deb8u1) stable-security; urgency=high
>
> Please use jessie-security instead of stable-security.
Ok
> Otherwise the upload looks good. Once the above is fixed you can go ahead and
> upload to security-master. Remember to build the package with full upstream
> sources (dpkg-buildpackage -sa), since this would be the first upload to
> jessie-security for mercurial.
Uploaded with full upstream sources.
> Also, the vulnerability seems to affect the wheezy version as well, could you
> please prepare an upload targeting wheezy-security as well?
Sure, I'll do that soon. Cheers,
Javi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/python-apps-team/attachments/20150502/a3cdcc2c/attachment-0001.sig>
More information about the Python-apps-team
mailing list