[ubuntu/eoan-proposed] mercurial 4.8.2-1ubuntu4 (Accepted)
Mike Salvatore
mike.salvatore at canonical.com
Tue Aug 13 20:17:14 UTC 2019
mercurial (4.8.2-1ubuntu4) eoan; urgency=medium
* SECURITY UPDATE: Write to arbitrary files outside a repository by using
symlinks in subrepositories
- debian/patches/CVE-2019-3902-1.patch: subrepo: extend path auditing test
to include more weird patterns (SEC)
- debian/patches/CVE-2019-3902-2.patch: subrepo: prohibit variable
expansion on creation of hg subrepo (SEC)
- debian/patches/CVE-2019-3902-3.patch: subrepo: reject potentially unsafe
subrepo paths (BC) (SEC)
- CVE-2019-3902
Date: Tue, 30 Jul 2019 15:42:49 -0400
Changed-By: Mike Salvatore <mike.salvatore at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/mercurial/4.8.2-1ubuntu4
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 30 Jul 2019 15:42:49 -0400
Source: mercurial
Architecture: source
Version: 4.8.2-1ubuntu4
Distribution: eoan
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Mike Salvatore <mike.salvatore at canonical.com>
Changes:
mercurial (4.8.2-1ubuntu4) eoan; urgency=medium
.
* SECURITY UPDATE: Write to arbitrary files outside a repository by using
symlinks in subrepositories
- debian/patches/CVE-2019-3902-1.patch: subrepo: extend path auditing test
to include more weird patterns (SEC)
- debian/patches/CVE-2019-3902-2.patch: subrepo: prohibit variable
expansion on creation of hg subrepo (SEC)
- debian/patches/CVE-2019-3902-3.patch: subrepo: reject potentially unsafe
subrepo paths (BC) (SEC)
- CVE-2019-3902
Checksums-Sha1:
04b42c1c499950e7b16eab861776ba71d5858772 2745 mercurial_4.8.2-1ubuntu4.dsc
6b93b10e9fb969a8d9378e83771244e0082e6b6f 66296 mercurial_4.8.2-1ubuntu4.debian.tar.xz
1e2cffd8f027ea990c794a458a3d376403c4c858 7030 mercurial_4.8.2-1ubuntu4_source.buildinfo
Checksums-Sha256:
9433f69ec5bd1bc98b1b0319b976028b7b4c2ac3bef1d6367ca627d8d1f5d85d 2745 mercurial_4.8.2-1ubuntu4.dsc
f55665ce2a6c03eeb3de757826f07aacac41236bb4a457643092e279022dc398 66296 mercurial_4.8.2-1ubuntu4.debian.tar.xz
d282be60826ba27210b13878ae5fa21dccfaca95dc5f47e9a1162901604ff3ce 7030 mercurial_4.8.2-1ubuntu4_source.buildinfo
Files:
49d4cfef43690ae8583d35b38b652c75 2745 vcs optional mercurial_4.8.2-1ubuntu4.dsc
6c4d90564d93578ba5047432fa091910 66296 vcs optional mercurial_4.8.2-1ubuntu4.debian.tar.xz
f6246c2aa6694126dfff42d0a5a30199 7030 vcs optional mercurial_4.8.2-1ubuntu4_source.buildinfo
Original-Maintainer: Python Applications Packaging Team <python-apps-team at lists.alioth.debian.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl1TGk0ACgkQZWnYVadE
vpOAmhAAn3dsELLPjlI9Cl6/KYG7gjaL3E9I2r0jV33s2g43vGudCwOOAytqptjY
Iv2yYX1yi28qH5fLGuI8wnYc0O6/NNSNBGd0tJ3+97eksByAykBx1Fkw7QgrfNzx
bamrp66MJMS1nx/EBFaigcFvfsk95AvZOt/goml+EIyTO8vPoaMsnCVXa26TM7zT
URpQ4xGbTxVmgnRN2FG/OE6alC0Zt8szO//YwitgkKscXbWk+13vTqKDoDAZA63Y
tbr62QrjLPyJlgnZ8yJBhb+iLKv7ocT2H39l8HRfW6BhLnnYcBn1HTP9EB7m5Kye
zO5LGKVg+17z/YA2GHOVI6p77cv9M8PtwQt8UBCl9rXUUNQ84g5q1QwmEAviqi+O
4QETVVogkoSj+Ien8eHjJkLNqC8X5z3xV427stAMFIq/MGCgimsU9IH3aEiiM5oS
5OZpHmWZCxn8YuqZNtgl48VdgH7Xze0Bb59+xhLnstkMeiKhYgeLNep4QWaDdEPL
PU5uEKv/RJ1ng+fQ/EH/j+5DRPnghkjCRnqbKzeHKfi13kBraD/lzRRMK3RC5fQE
rESsTrnqV63Z0vzHwhn+HzPc6bl33s31A1MUHETxxc9dTMjNgjk0VPzqxKwxEbxL
dElxwdVs0KSYfGvsguTcsELAs3SXtCz9Li13MDWuqmd3e6hD3iQ=
=4/zQ
-----END PGP SIGNATURE-----
More information about the Eoan-changes
mailing list