Your message dated Fri, 08 Apr 2016 09:47:55 +0000 with message-id <e1aot19-0004v7...@franck.debian.org> and subject line Bug#819504: fixed in mercurial 3.1.2-2+deb8u2 has caused the Debian Bug report #819504, regarding mercurial: CVE-2016-3068 CVE-2016-3069 CVE-2016-3630 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 819504: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819504 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mercurial Version: 3.7.2-2 Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerabilities were published for mercurial. CVE-2016-3068[0]: arbitrary code execution with Git subrepos CVE-2016-3069[1]: arbitrary code execution when converting Git repos CVE-2016-3630[2]: remote code execution in binary delta decoding If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-3068 [1] https://security-tracker.debian.org/tracker/CVE-2016-3069 [2] https://security-tracker.debian.org/tracker/CVE-2016-3630 [3] https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: mercurial Source-Version: 3.1.2-2+deb8u2 We believe that the bug you reported is fixed in the latest version of mercurial, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 819...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Julien Cristau <jcris...@debian.org> (supplier of updated mercurial package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 04 Apr 2016 15:41:22 +0200 Source: mercurial Binary: mercurial-common mercurial Architecture: source all amd64 Version: 3.1.2-2+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Python Applications Packaging Team <python-apps-t...@lists.alioth.debian.org> Changed-By: Julien Cristau <jcris...@debian.org> Description: mercurial - easy-to-use, scalable distributed version control system mercurial-common - easy-to-use, scalable distributed version control system (common Closes: 819504 Changes: mercurial (3.1.2-2+deb8u2) jessie-security; urgency=high . * CVE-2016-3630: + parsers: fix list sizing rounding error + parsers: detect short records * CVE-2016-3068: + subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols * CVE-2016-3069: + convert: add new, non-clowny interface for shelling out to git + convert: rewrite calls to Git to use the new shelling mechanism + convert: dead code removal - old git calling functions + convert: rewrite gitpipe to use common.commandline + convert: test for shell injection in git calls Closes: #819504 Checksums-Sha1: 18764a7b25256dc7b1412ddc7ea3a444dd6e2c34 2273 mercurial_3.1.2-2+deb8u2.dsc df69dd5b4b561241c6c70d6a3cc7faaf1932d96a 53104 mercurial_3.1.2-2+deb8u2.debian.tar.xz c08b338aa119e4e50f6665dc2bff6a61786d8435 1601038 mercurial-common_3.1.2-2+deb8u2_all.deb 09dd4187518be64d6f3a0cfbc2a303bcb9225737 59998 mercurial_3.1.2-2+deb8u2_amd64.deb Checksums-Sha256: a9f0e92d27935a0bdcf418260cd1d31552e311cbcf3a7112bc8ada24f73e6927 2273 mercurial_3.1.2-2+deb8u2.dsc 7d3c9f6b221605e129f2476c86017b4bb47048c4587e8376888d18d80ef196b0 53104 mercurial_3.1.2-2+deb8u2.debian.tar.xz 52c1e914ca57743c5e331f6308d0bff755c446b21e86491ca9f3339d26dfa643 1601038 mercurial-common_3.1.2-2+deb8u2_all.deb bcd724239c207424520a871956663bd55dffff265e1ad5b93dd91aefdaa2df6e 59998 mercurial_3.1.2-2+deb8u2_amd64.deb Files: 3e98ecc94ceed22414f308977c5c33ce 2273 vcs optional mercurial_3.1.2-2+deb8u2.dsc 09443346fcd32df0e48d42c0d9e9fbb7 53104 vcs optional mercurial_3.1.2-2+deb8u2.debian.tar.xz 0178734936ac3e7c0da633b8826cdf2b 1601038 vcs optional mercurial-common_3.1.2-2+deb8u2_all.deb 06da0420aa8c640110c603fbb63429f2 59998 vcs optional mercurial_3.1.2-2+deb8u2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXAuJgAAoJEJ2wI1VW+M+tCyMP/2KTVmxqxwThvcnOjxfL0Dvx 2uqgZTbnlyeuPt5R65x0lCIUiRKjFjb0ESM+pBr7MnlCOvlRDC1dFkWaDPjfKm7G UD9CnoAlx09Lg6jWm/loHFWuJH42O5Pa0WeLi8DZN8QCPZcXQRc116lbbsumdhmy ivjGj+PhB3T/dU2hPARqjvhuQSTSVIOF2NjWpNEUe2/B/oXakR0lqNVkKe+Ds3Eg 9VoDUo6wL01Tskg/mC+3kgYtpogs3mSBoxeM60z3OT3z/snw5W7OE3/uRUY0qXq/ R5b9t1eCT0wAzTSHIRVL2h3HJrZaunv/rNgV0xU3epn59dAaM3eljsgbvZ0+AGTQ 3K4iN/8ooH1womB07t844OUeLV4oANCj3pRhiBS78IRoTB52NoI8HkjI9CXKKhK8 HVVjPNNgoknI9kVg+fv2Cnj0+M2bV73fuGkdDaNy6NVpcHsTKyoQDmP2kvAJboIe cJE/wYxsyhk33QiJbSuy8w3AbPcTT9yX9wPQ71BFNsoAmwNwo3yylkH5jTffuQFA W7eAxWQm4N0GSA9Tf0w9LAzy4ap1t/zRJIuwFsrCG5VEcdHha1nuEGJSxPsMOSPp pOKe/mVLySk8qoUeTQmNaYfp6CMgO7JRcwc1H8SjG8rymD6YkQTEhAsJlhvlrbbR plaFMeeQpGOrbvKlTR4P =8x3e -----END PGP SIGNATURE-----
--- End Message ---
