[Python-apps-team] Bug#927674: CVE-2019-3902
Julien Cristau
jcristau at debian.org
Tue May 28 09:47:19 BST 2019
On Sun, May 26, 2019 at 09:07:11PM +0200, Moritz Mühlenhoff wrote:
> On Sun, Apr 21, 2019 at 12:32:13AM +0200, Moritz Muehlenhoff wrote:
> > Source: mercurial
> > Version: 4.8.2-1
> > Severity: grave
> > Tags: security
> >
> > See https://www.mercurial-scm.org/wiki/WhatsNew from 4.9:
> >
> > This was assigned CVE-2019-3902:
> > It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking
> > logic and write files outside a repository. This has been fixed. Users on older versions
> > can either disable subrepositories with [subrepos] allowed=false in their configuration
> > or by ensuring any cloned repositories don't contain malicious symlinks.
> >
> > This is fixed in sid, but buster still has 4.8.2.
>
> A month later this is still unfixed in buster. Does anyone care about having this
> in a stable release? Probably not, because noone cared about stretch already either:
> https://security-tracker.debian.org/tracker/source-package/mercurial
>
So initially my hope was to get 4.9 in buster, however that failed due
to reverse deps (hg-git and tortoisehg) not being ready in time.
And since I don't read bug mail I missed your messages here.
> If that's the case, let's drop it from buster?
>
Let's not... I'll see what I can do.
Cheers,
Julien
More information about the Python-apps-team
mailing list