On Tue, Dec 23, 2014 at 01:20:10PM +0000, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > Hi, > > On 2014-12-23 12:15, Javi Merino wrote: > >mercurial in wheezy is affected by CVE-2014-9390[0] (Errors in > >handling case-sensitive directories allow for remote code execution on > >pull). The security team says that few users are affected by it as it > >only affects you if you are running on a case-sensitive filesystem. > >They say it should go through stable-proposed-updates. > > > >Upstream has said that three patches[1] need to be backported to fix > >it. I've done it for wheezy and prepared an upload, see the attached > >debdiff against the current version in wheezy: 2.2.2-3. > > > >[0] https://security-tracker.debian.org/tracker/CVE-2014-9390 > >[1] > >http://selenic.com/pipermail/mercurial-packaging/2014-December/000133.html > > Thanks for looking at fixing this in stable. > > The patches look okay, but it appears that this hasn't been fixed in > unstable yet. Is that correct? If so then we generally prefer to get > unstable fixed first, so that the changes can get some testing there.
That's correct, I'm preparing an upload for jessie. If I upload the same fix to unstable, it would be unblocked?
signature.asc
Description: Digital signature
