Your message dated Fri, 11 Aug 2017 10:19:32 +0000 with message-id <e1dg72s-0006jz...@fasolo.debian.org> and subject line Bug#871709: fixed in mercurial 4.3.1-1 has caused the Debian Bug report #871709, regarding mercurial: CVE-2017-1000115: path traversal via symlink to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 871709: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871709 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mercurial Version: 4.0-1 Severity: grave Tags: upstream security Justification: user security hole Hi, the following vulnerability was published for mercurial. CVE-2017-1000115[0]: path traversal via symlink If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-1000115 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: mercurial Source-Version: 4.3.1-1 We believe that the bug you reported is fixed in the latest version of mercurial, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 871...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Tristan Seligmann <mithra...@debian.org> (supplier of updated mercurial package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 11 Aug 2017 05:00:16 +0200 Source: mercurial Binary: mercurial-common mercurial Architecture: source Version: 4.3.1-1 Distribution: unstable Urgency: high Maintainer: Python Applications Packaging Team <python-apps-t...@lists.alioth.debian.org> Changed-By: Tristan Seligmann <mithra...@debian.org> Description: mercurial - easy-to-use, scalable distributed version control system mercurial-common - easy-to-use, scalable distributed version control system (common Closes: 861243 868014 871709 871710 Changes: mercurial (4.3.1-1) unstable; urgency=high . * Urgency high because of important security fixes. * New upstream release (closes: #868014). - CVE-2017-1000115: Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository (closes: #871709). - CVE-2017-1000116: Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand (closes: #871710). - CVE-2017-9462: previously fixed in 4.1.3 upstream (closes: #861243). * Blacklist test-https.t due to TLS 1.0/1.1 being disabled in OpenSSL in unstable. * Fix license definitions in debian/copyright. * Bump Standards-Version to 4.0.0 (no changes). * Run wrap-and-sort -t -s. Checksums-Sha1: 57dc975c17618107ecb3d528e3fd861ea444b13f 2225 mercurial_4.3.1-1.dsc 06cde0a5d555d5c62bb7f791409fd91910c28553 5475042 mercurial_4.3.1.orig.tar.gz 75081b06541acd75272849b335ace0b956bfdc3e 54052 mercurial_4.3.1-1.debian.tar.xz f4c8f729dd7902939cdb4bb9960193f7fac53ead 6564 mercurial_4.3.1-1_source.buildinfo Checksums-Sha256: 5f8e9e8ba017f4a4fac3895dad636457c91b69ff4eab0193ad8b46736b351133 2225 mercurial_4.3.1-1.dsc 2b12f02e3a452adff4ec9cf007017bab0cadb3f37eaf12f4b25a662df73618a2 5475042 mercurial_4.3.1.orig.tar.gz 451bbaf7dca2d99c2c2eb18a4e275f06b7abf5f5784b08d3caf045d38d5b1832 54052 mercurial_4.3.1-1.debian.tar.xz c4731ef459b2c8c5052e1ddd3340ed1a50a3f45b527f519be7a9cc10ea813faf 6564 mercurial_4.3.1-1_source.buildinfo Files: b597cc62d5e567d9f08dad59d0e0ab64 2225 vcs optional mercurial_4.3.1-1.dsc b9cbdcf0bd41a2b385b35b9fbfeb0eea 5475042 vcs optional mercurial_4.3.1.orig.tar.gz 3d5ba7aa476ab96bbcb55cb4094786af 54052 vcs optional mercurial_4.3.1-1.debian.tar.xz e72925b9e61deb79b06af897182a98c6 6564 vcs optional mercurial_4.3.1-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQGpBAEBCgCTFiEEXAZWhXVRbQoz/6ejwImQ+x9jeJMFAlmNgVBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDVD MDY1Njg1NzU1MTZEMEEzM0ZGQTdBM0MwODk5MEZCMUY2Mzc4OTMVHG1pdGhyYW5k aUBkZWJpYW4ub3JnAAoJEMCJkPsfY3iT+RgIAK/PRNDVfhalbNjeY3e4pQUslNeD NOuUoi7ViMfpPUnmkLy4N+TFNm6yj52o0e/RUSB6qS6KumfybIYnMnifIzxbip4U YNKrl5drg2CHZYgTrfG+cHJEDKHiibbH2yZ0m0zqcKqxpEJKAPZLekCmLgy4bAi4 4iPYlXKEugRaiyCx2yteoaqDp1fPrpE4yhZCYUqH6YayLwSWeYo4ViGGGxQwOE7G wRlUSSXIy9mZEhj3DJwgWgtKJQrYIV1mwWatB8ObzSzn0ArVMO/VukyL7rbsRNUY fWzC8eh6Hs2GlU0pNaeV6SxHOPXfTqvwvFcFuf80wv0CdxZaCXLZOyXNEok= =Nttf -----END PGP SIGNATURE-----
--- End Message ---
