Hello community, here is the log from the commit of package mercurial for openSUSE:Factory checked in at 2018-03-12 12:07:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mercurial (Old) and /work/SRC/openSUSE:Factory/.mercurial.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mercurial" Mon Mar 12 12:07:12 2018 rev:125 rq:584101 version:4.5.2 Changes: -------- --- /work/SRC/openSUSE:Factory/mercurial/mercurial.changes 2018-02-06 16:46:13.816277309 +0100 +++ /work/SRC/openSUSE:Factory/.mercurial.new/mercurial.changes 2018-03-12 12:07:16.169028642 +0100 @@ -1,0 +2,37 @@ +Wed Mar 7 08:10:06 UTC 2018 - [email protected] + +- Mercurial 4.5.2 + + (4.5.2 was released immediately after 4.5.1 to fix a release oversight.) + + 1. Security Fixes + All versions of Mercurial prior to 4.5.2 have vulnerabilities in the HTTP + server that allow permissions bypass to: + * Perform writes on repositories that should be read-only + * Perform reads on repositories that shouldn't allow read access + + 2. Backwards Compatibility Changes + The "batch" wire protocol command now enforces permissions of each invoked + sub-command. Wire protocol commands must define their operation type or the + "batch" command will assume they can write data and will prevent their + execution on HTTP servers unless the HTTP request method is POST, the + server is configured to allow pushes, and the (possibly authenticated) HTTP + user is authorized to perform a push. + Wire protocol commands not defining their operation type in + "wireproto.PERMISSIONS" are now assumed to be used for "push" operations + and access control to run those commands is now enforced accordingly. + + 3. Bug Fixes + fileset: don't abort when running copied() on a revision with a removed file + date: fix parsing months + setup: only allow Python 3 from a source checkout (issue5804) + annotate: do not poorly split lines at CR (issue5798) + subrepo: don't attempt to share remote sources (issue5793) + subrepo: activate clone pooling to enable sharing with remote URLs + changegroup: do not delta lfs revisions + revlog: do not use delta for lfs revisions + revlog: resolve lfs rawtext to vanilla rawtext before applying delta + + See full cnahgelog on + https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29 +------------------------------------------------------------------- Old: ---- mercurial-4.5.tar.gz mercurial-4.5.tar.gz.asc New: ---- mercurial-4.5.2.tar.gz mercurial-4.5.2.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mercurial.spec ++++++ --- /var/tmp/diff_new_pack.E4wuWl/_old 2018-03-12 12:07:17.444982909 +0100 +++ /var/tmp/diff_new_pack.E4wuWl/_new 2018-03-12 12:07:17.448982765 +0100 @@ -20,10 +20,10 @@ %{!?python_sitelib: %global python_sitelib %(python -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} %endif Name: mercurial -Version: 4.5 +Version: 4.5.2 Release: 0 Summary: Scalable Distributed SCM -License: GPL-2.0+ +License: GPL-2.0-or-later Group: Development/Tools/Version Control Url: https://www.mercurial-scm.org/ Source: https://www.mercurial-scm.org/release/mercurial-%{version}.tar.gz ++++++ mercurial-4.5.tar.gz -> mercurial-4.5.2.tar.gz ++++++ ++++ 4037 lines of diff (skipped)
