Your message dated Fri, 08 Apr 2016 09:49:25 +0000 with message-id <e1aot2b-0004k3...@franck.debian.org> and subject line Bug#819504: fixed in mercurial 2.2.2-4+deb7u2 has caused the Debian Bug report #819504, regarding mercurial: CVE-2016-3068 CVE-2016-3069 CVE-2016-3630 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 819504: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819504 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mercurial Version: 3.7.2-2 Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerabilities were published for mercurial. CVE-2016-3068[0]: arbitrary code execution with Git subrepos CVE-2016-3069[1]: arbitrary code execution when converting Git repos CVE-2016-3630[2]: remote code execution in binary delta decoding If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-3068 [1] https://security-tracker.debian.org/tracker/CVE-2016-3069 [2] https://security-tracker.debian.org/tracker/CVE-2016-3630 [3] https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: mercurial Source-Version: 2.2.2-4+deb7u2 We believe that the bug you reported is fixed in the latest version of mercurial, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 819...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Julien Cristau <jcris...@debian.org> (supplier of updated mercurial package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 01 Apr 2016 22:51:48 +0200 Source: mercurial Binary: mercurial-common mercurial Architecture: source all amd64 Version: 2.2.2-4+deb7u2 Distribution: wheezy-security Urgency: high Maintainer: Python Applications Packaging Team <python-apps-t...@lists.alioth.debian.org> Changed-By: Julien Cristau <jcris...@debian.org> Description: mercurial - easy-to-use, scalable distributed version control system mercurial-common - easy-to-use, scalable distributed version control system (common Closes: 819504 Changes: mercurial (2.2.2-4+deb7u2) wheezy-security; urgency=high . * CVE-2016-3630: + mpatch: rewrite pointer overflow checks (prerequisite for the following) + parsers: fix list sizing rounding error + parsers: detect short records * CVE-2016-3068: + subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols * CVE-2016-3069: + convert: add new, non-clowny interface for shelling out to git + convert: rewrite calls to Git to use the new shelling mechanism + convert: dead code removal - old git calling functions + convert: rewrite gitpipe to use common.commandline + convert: test for shell injection in git calls Closes: #819504 Checksums-Sha1: 312521447cfbf886d168441b61df63c2202efd0b 2164 mercurial_2.2.2-4+deb7u2.dsc 2454b00f21ac9676da89600b004bae0e294d5d7a 50657 mercurial_2.2.2-4+deb7u2.debian.tar.gz 4713d1438c1f4ed810089ade7a8c662df0bbdf51 2324960 mercurial-common_2.2.2-4+deb7u2_all.deb 15332c9fdb6439d7974c12cdb29d47b2d06617cd 93336 mercurial_2.2.2-4+deb7u2_amd64.deb Checksums-Sha256: 7e7f259ce8b9690d5e7ff1b5d6c9fb8bdc32daef412f3bfa876a8d02782d8d39 2164 mercurial_2.2.2-4+deb7u2.dsc 765a1c55b1f44ee21c22d3defa5499499199888145bb4d0ba724e83fd95235fb 50657 mercurial_2.2.2-4+deb7u2.debian.tar.gz 4fc801b8c827d9ad7d2f2de6fe46fc3b4b85680eda6283544cc8208607390d10 2324960 mercurial-common_2.2.2-4+deb7u2_all.deb 726874d1d91fd78e91e3a81faf58675292d4d64a51b24897816bec3622bdf5f8 93336 mercurial_2.2.2-4+deb7u2_amd64.deb Files: effd7642cb0a60494740790fb81ff436 2164 vcs optional mercurial_2.2.2-4+deb7u2.dsc 06c072a5f1be9a71eb53fc82af782f1e 50657 vcs optional mercurial_2.2.2-4+deb7u2.debian.tar.gz 4d5de4fb9280473937204150504ddaaa 2324960 vcs optional mercurial-common_2.2.2-4+deb7u2_all.deb 1ce86af92568a418bddf9db911f01eed 93336 vcs optional mercurial_2.2.2-4+deb7u2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXAvE+AAoJEJ2wI1VW+M+tuGwQAIOumNfqB/jEqxvYY6cpdw1o qIZoYp01CIcAptg+sSfGoYjFUUGtB6AJJiot3lEMm0BB/D+LfqpxewyyqIq/mwlR tk9AIOfb/oaFP7QzOgKYBolqdYdWF0njXzV5xnGMOUjJh+9lE2dvgULnLVY/7Fa8 FfzMbO8YYvVYE9PDAERZoi+GTD65uzzNJCHo5GkXCWl58Z1hIi7HZux21nNw5XDX 3RI4RT8bCoj5bGEp7Be6R/PiuvUsWCF9f6+ShV2aDvFOSCZXW4iGETffN8EX4yr/ TXL5uG6NBi1FT9cajupLSr7s/A+RoBkyPc5fR1mJOu7nxVANJkU8Sg6btADBWqY2 qYEo2xSxF+QDdPh0DAlOWyHYm6leJRwhJH547POL0Obn7x6kftfqCzKv3AylvK1D 1FPuVdQsGF9Ut+ItNCg9FC0f2rypjIu6cvBnsXkzp2RVFcNwYD2o7CXEYWD0Ws2i Nn6EYEFWXThMl9pxJLA/juRDV8aZkOGmKh414gKhRn5ZSjohdluaJcrrLrqVYQJk 093+t6cG80RpPB5U0+0MhXWuSAftJur++gdQyJ3U7vwqENoKVJpACWwa/PNo1tfx uQ/SEaFNb61RzZrtJjxsmpjU10mm1ovBLvi8yZwfKbZY4/naAWRMXEn1+mjPPawh 4xVFpje1/6L7+gVkM2ZI =Wn53 -----END PGP SIGNATURE-----
--- End Message ---
