Your message dated Fri, 08 Jun 2018 13:46:31 +0000 with message-id <e1frhip-000cbh...@fasolo.debian.org> and subject line Bug#901050: fixed in mercurial 4.6.1-1 has caused the Debian Bug report #901050, regarding mercurial: New security fixes release (4.6.1) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 901050: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901050 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mercurial Version: 4.6-2 Severity: grave Tags: security upstream For tracking purposes: mercurial 4.6.1 contains security fixes as denoted in: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29 > 1.1. Security Fixes > > Multiple issues found in mpatch.c with a fuzzer: > > OVE-20180430-0001 > OVE-20180430-0002 > OVE-20180430-0004 > > With the following fixes: > > mpatch: be more careful about parsing binary patch data (SEC) > mpatch: protect against underflow in mpatch_apply (SEC) > mpatch: ensure fragment start isn't past the end of orig (SEC) > mpatch: fix UB in int overflows in gather() (SEC) > mpatch: fix UB integer overflows in discard() (SEC) > mpatch: avoid integer overflow in mpatch_decode (SEC) > mpatch: avoid integer overflow in combine() (SEC) > > No exploits are known at the time, however, it is highly recommended that all > users upgrade. No CVEs are yet assigned. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: mercurial Source-Version: 4.6.1-1 We believe that the bug you reported is fixed in the latest version of mercurial, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 901...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Julien Cristau <jcris...@debian.org> (supplier of updated mercurial package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 08 Jun 2018 13:56:22 +0200 Source: mercurial Binary: mercurial-common mercurial Architecture: source Version: 4.6.1-1 Distribution: unstable Urgency: medium Maintainer: Python Applications Packaging Team <python-apps-t...@lists.alioth.debian.org> Changed-By: Julien Cristau <jcris...@debian.org> Description: mercurial - easy-to-use, scalable distributed version control system mercurial-common - easy-to-use, scalable distributed version control system (common Closes: 901050 Changes: mercurial (4.6.1-1) unstable; urgency=medium . * New upstream bugfix release + fix security issues in mpatch (closes: #901050) + proposed_upstream__fix_xdiff_32bit.patch: drop, applied upstream Checksums-Sha1: d067c06dc2d8a1bd3efbc7a9d47257c6ccde42d2 2625 mercurial_4.6.1-1.dsc df2bb1487e6a64c7321a93767baf43c6ca1e9b5f 6407380 mercurial_4.6.1.orig.tar.gz 13dc3771fd6aeda5c0cd81ddf4a321cb5e5d47f4 833 mercurial_4.6.1.orig.tar.gz.asc 9053b2b9d4a3e49b67ffb3b2c09687dbde7a576f 61556 mercurial_4.6.1-1.debian.tar.xz Checksums-Sha256: 4cd67a829c0a022c5a95a34c5ee789bf24dc135d65af9a65b95f4a61e573a05e 2625 mercurial_4.6.1-1.dsc 89fa8ecbc8aa6e48e98f9803a1683ba91367124295dba2407b28c34ca621108d 6407380 mercurial_4.6.1.orig.tar.gz a7c61e69edce0c63660a7fe2fec69c981b24c7684495403585de87794a62188b 833 mercurial_4.6.1.orig.tar.gz.asc 428206fe5ec52ebcddc74ef2fe229d1279e3c3ee5a5ed801cb20a6d36b30c8f3 61556 mercurial_4.6.1-1.debian.tar.xz Files: 782df6da7496c85e9f3a4a6cf85a57d9 2625 vcs optional mercurial_4.6.1-1.dsc f9b2e4a3b5901ef744fa3abe4196e97e 6407380 vcs optional mercurial_4.6.1.orig.tar.gz 44d9852d91804f605a5a84eeba5f4583 833 vcs optional mercurial_4.6.1.orig.tar.gz.asc 9546269563b0fc20dc3b86f2790887ea 61556 vcs optional mercurial_4.6.1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEVXgdqzTmGgnvuIvhnbAjVVb4z60FAlsagxoACgkQnbAjVVb4 z60PZA/+LxRjfk4l6bEbzJ9qLcteZ2dAOhM8LpiSDMEZJrHKffmRmrUwyK//1QXF UV0ReAO/913KlRK2nMSYLf8TUqMC/IO3Hset0X4uXhnY1tfTYaG0d7puOD7hMzV4 zrqWFkjRuLWXoBQEiiZzPqOegypfEQaQ9oZOcthbUx8+O+espmcsgCLQpdQIPYgG j+RDXLFX8TaOmgfK9umwEh+kUbw6Z+USznU+vXgwC5i8bAm7bpNFml5dll6NizMl N8ic5Wq4WuJeU6erctodxyAu8VRlf0/x1btlArWUyuwHA4t5/31CgvkKx2KO5zef d6GzFxaW/0ma023WjbtedhRz2osEehfnU/cbekJu29twGuBlszSk5LuBTZodeZZk uYNURGH6cxGgazA1qNX5pSQYjQ6vpefrFVTddR12WyctvzaKWqw5maABT8XsRE86 FGr/vezfsLsQVplnhwaKgy24VhFQWE4EPDIlTtsE7GF7ZXeBAe8NGj22JAC4ZSuK Z/yvrty/+OSzXMB8kkJect0W3cnIHigNq03HIPg/DjVdlwTfqugFOyBEXWwTqfD4 LiYRBYbTAktZF6CeNn9xJ20u+hEpNCLTyRO2pUMhrkvA5r4Pwsjw4J9E18X2E95c S5xQHytcxugaeGTdZ9l8faP3RUTDma+eoLM8+tT193gGUkRqUwU= =6jhA -----END PGP SIGNATURE-----
--- End Message ---
