Your message dated Tue, 28 May 2019 13:48:25 +0000 with message-id <e1hvcsn-000iev...@fasolo.debian.org> and subject line Bug#927674: fixed in mercurial 4.8.2-1+deb10u1 has caused the Debian Bug report #927674, regarding CVE-2019-3902 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 927674: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927674 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mercurial Version: 4.8.2-1 Severity: grave Tags: security See https://www.mercurial-scm.org/wiki/WhatsNew from 4.9: This was assigned CVE-2019-3902: It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository. This has been fixed. Users on older versions can either disable subrepositories with [subrepos] allowed=false in their configuration or by ensuring any cloned repositories don't contain malicious symlinks. This is fixed in sid, but buster still has 4.8.2. Cheers, Moritz
--- End Message ---
--- Begin Message ---Source: mercurial Source-Version: 4.8.2-1+deb10u1 We believe that the bug you reported is fixed in the latest version of mercurial, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 927...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Julien Cristau <jcris...@debian.org> (supplier of updated mercurial package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 28 May 2019 15:12:35 +0200 Source: mercurial Architecture: source Version: 4.8.2-1+deb10u1 Distribution: buster Urgency: medium Maintainer: Python Applications Packaging Team <python-apps-t...@lists.alioth.debian.org> Changed-By: Julien Cristau <jcris...@debian.org> Closes: 927674 Changes: mercurial (4.8.2-1+deb10u1) buster; urgency=medium . * CVE-2019-3902: it was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository. Closes: #927674. Checksums-Sha1: cff0183b2698bf7a6110b68b93e723f7d5a7539e 2709 mercurial_4.8.2-1+deb10u1.dsc d241c4a9469658335be2598efe4aa622799433ac 64940 mercurial_4.8.2-1+deb10u1.debian.tar.xz Checksums-Sha256: e47f77a1f9555e4648e3331100318853dc81215531a18c41f731d93383038df1 2709 mercurial_4.8.2-1+deb10u1.dsc 5673d16057e140b74c0939e509a15dc4b67e18ee71cf806e9940896a42c9130c 64940 mercurial_4.8.2-1+deb10u1.debian.tar.xz Files: 9d22866948086cdf106def717f0510bf 2709 vcs optional mercurial_4.8.2-1+deb10u1.dsc c5ca6e06557021f72276e4f7dbf2821d 64940 vcs optional mercurial_4.8.2-1+deb10u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEVXgdqzTmGgnvuIvhnbAjVVb4z60FAlztOXYUHGpjcmlzdGF1 QGRlYmlhbi5vcmcACgkQnbAjVVb4z60p7w/5AV8UiWVmoaGzSRIE0uffya/9BUK4 V4SFBrWpgKIyK1qYovIcghiHrgtJFB7HHwFz/ICWkNPLz0ujGJvmeV1AJaqTbVLc Tuh84tek6wGC2+Ei9Sg0Mzs6jkznQzXppW2nbi5lBGclXP3S5jL8TxxyP4e/ZTel uj4XesmkJNoIc2TCGQJXOBVBtq3Vit1gMFsg0dxgIoO7kxFReK62hsbvD9mZtQUP WFV3DFlIw5p2VRtvJ5uvQvyKavOob14BWSDc6vW7Kz07iwZQCemiYRzwARoj8LuU lU5X8lKTJ4Te+ZZlWe0jPNB0Batnha0MMqHvNq6YrRLZouAiEOHIY/f+Cf6r3kxh LVIryr4HynHuwKEFfClb2uimKKpk2tWoT2HdjAYwPOzMP6OkQaeqCWR+GhrPJqA0 3WZuBuVzFtdcaMqEOK4PxOaK+D5RGl1WsQl3+ozkU4NzWFWXH6EfdoP35815iAbR piTJ7xE6dpNaCXFQKnPU96cmOBT1YRU8ip7vCyiBDP3C6fBfR6mPx6jELCLwANix 95eU2BGDfGGh+JXzzEJhUCON4KIdId8uUoKoB3iDbNOkeDqzMH3zJLUGzJFPuVyB KyOqlO3f740ofnFcn/B8SPY5ptKMNvg88SKCxmabwXOGb41Z8SnAvEwdwPq0YEl/ uYTKlMMuJWZetXU= =tIsK -----END PGP SIGNATURE-----
--- End Message ---
