Debian Bug report logs -
#598841
mercurial fails to verify ssl validity in https connections
Reported by: Wagner Bruna <wbruna@yahoo.com>
Date: Sat, 2 Oct 2010 15:30:01 UTC
Severity: important
Tags: fixed-upstream, patch, security
Found in version mercurial/1.6.2-2
Fixed in version mercurial/1.6.4-1
Done: Javi Merino <cibervicho@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, wbruna@yahoo.com, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#598841; Package mercurial.
(Sat, 02 Oct 2010 15:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Wagner Bruna <wbruna@yahoo.com>:
New Bug report received and forwarded. Copy sent to wbruna@yahoo.com, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Sat, 02 Oct 2010 15:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mercurial
Version: 1.6.2-2
Severity: important
Tags: security, fixed-upstream, patch
Forwarding this upstream security issue:
http://mercurial.selenic.com/bts/issue2407
A fix is available at:
http://selenic.com/repo/hg-stable/rev/f2937d6492c5
and included in version 1.6.4.
-- System Information:
Debian Release: 5.0.6
APT prefers stable
APT policy: (500, 'stable'), (200, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages mercurial depends on:
ii libc6 2.11.2-6 Embedded GNU C Library: Shared lib
ii mercurial-common 1.6.2-2 scalable distributed version contr
ii python 2.5.2-3 An interactive high-level object-o
ii python-support 1.0.10 automated rebuilding support for P
ii ucf 3.0016 Update Configuration File: preserv
mercurial recommends no packages.
Versions of packages mercurial suggests:
ii emacs 22.2+2-5 The GNU Emacs editor (metapackage)
ii kdiff3 0.9.92-2 compares and merges 2 or 3 files o
pn qct <none> (no description available)
ii tk8.4 [wish] 8.4.19-2 Tk toolkit for Tcl and X11, v8.4 -
ii tk8.5 [wish] 8.5.3-4 Tk toolkit for Tcl and X11, v8.5 -
ii vim 1:7.1.314-3+lenny2 Vi IMproved - enhanced vi editor
ii vim-gtk [vim] 1:7.1.314-3+lenny2 Vi IMproved - enhanced vi editor -
-- no debconf information
Added tag(s) pending.
Request was from Javi Merino <cibervicho@gmail.com>
to control@bugs.debian.org.
(Mon, 04 Oct 2010 13:09:05 GMT) (full text, mbox, link).
Reply sent
to Javi Merino <cibervicho@gmail.com>:
You have taken responsibility.
(Tue, 12 Oct 2010 21:31:46 GMT) (full text, mbox, link).
Notification sent
to Wagner Bruna <wbruna@yahoo.com>:
Bug acknowledged by developer.
(Tue, 12 Oct 2010 21:31:46 GMT) (full text, mbox, link).
Message #12 received at 598841-close@bugs.debian.org (full text, mbox, reply):
Source: mercurial
Source-Version: 1.6.4-1
We believe that the bug you reported is fixed in the latest version of
mercurial, which is due to be installed in the Debian FTP archive:
mercurial-common_1.6.4-1_all.deb
to main/m/mercurial/mercurial-common_1.6.4-1_all.deb
mercurial_1.6.4-1.debian.tar.gz
to main/m/mercurial/mercurial_1.6.4-1.debian.tar.gz
mercurial_1.6.4-1.dsc
to main/m/mercurial/mercurial_1.6.4-1.dsc
mercurial_1.6.4-1_amd64.deb
to main/m/mercurial/mercurial_1.6.4-1_amd64.deb
mercurial_1.6.4.orig.tar.gz
to main/m/mercurial/mercurial_1.6.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 598841@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Javi Merino <cibervicho@gmail.com> (supplier of updated mercurial package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 04 Oct 2010 07:37:33 -0500
Source: mercurial
Binary: mercurial-common mercurial
Architecture: all amd64 source
Version: 1.6.4-1
Distribution: unstable
Urgency: low
Maintainer: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
Changed-By: Javi Merino <cibervicho@gmail.com>
Closes: 598841 598850
Description:
mercurial-common - scalable distributed version control system (common files)
mercurial - scalable distributed version control system
Changes:
mercurial (1.6.4-1) unstable; urgency=low
.
* New upstream release 1.6.4 (Closes: #598850)
* Verify ssl validity in https connections (Closes: #598841)
Checksums-Sha1:
a9b464ac47bb27fd54716c15dabf20bc17f6080f 2141 mercurial_1.6.4-1.dsc
13e9dcf64ce5228b6abf9ae402966b1129f0889c 2240810 mercurial_1.6.4.orig.tar.gz
8fdb9e50add959cadd03a942525aaad77a6beb19 32548 mercurial_1.6.4-1.debian.tar.gz
6e27f2b51408dc735671d3592a00b8fdc154cecc 1336342 mercurial-common_1.6.4-1_all.deb
2cea62261483e2001bf95f4e291f19fdb9e185ba 77364 mercurial_1.6.4-1_amd64.deb
Checksums-Sha256:
fe04ad87d574174b9ae648af2f5b6332f7636cf1589860070efcf58f7ce76032 2141 mercurial_1.6.4-1.dsc
1e8edbbf8c495c095a3f086028e5f2b0440ce218eac9056c0b477b4192dc8811 2240810 mercurial_1.6.4.orig.tar.gz
a466b2fe1e3d1db00ed987867cb69267430c2a192bcdd3152c4a1abf295cb851 32548 mercurial_1.6.4-1.debian.tar.gz
3bb926483ab268aac93d9c7b5bcdb7f91fc0bdca4f1a7c31c9b2ef310c32a52a 1336342 mercurial-common_1.6.4-1_all.deb
5236fd2e607eae07f09da4be02e8bdf38b7bfc68c125efa4670958b198083f60 77364 mercurial_1.6.4-1_amd64.deb
Files:
fa0710b0296d4ef70933c5af08bb6a35 2141 vcs optional mercurial_1.6.4-1.dsc
657dd6aff80aa9a3b187652a635544d0 2240810 vcs optional mercurial_1.6.4.orig.tar.gz
e87fe3fe034e702db6e7e931a8b77639 32548 vcs optional mercurial_1.6.4-1.debian.tar.gz
b409b5a31d399a16caf34015f33a863c 1336342 vcs optional mercurial-common_1.6.4-1_all.deb
a768087b488913f94288c6201d444209 77364 vcs optional mercurial_1.6.4-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIVAwUBTLTOF9T1zgD6DpudAQhhHQ/+JMQGXbcw6I1ory4ZyyaGcs3s1v8HE9z2
bbUiJ5EuI7joTgi2UbsIxhFrTpHS/V5OJk+V4AriR+mt2kK8jqH8o5L8M+uUbkvl
33Zb3H9lFLFa2rac9G3nv0k+82WP46rdcSkcTYlrMfJ+lwlewKBR3t6M7fvKMjuV
2LRr61RcY77/NvWlaz1ivUPRrBIW1+Lh65yZPS98xzNqVk8vK6kGCQ+TPn512lSc
WgeUHWX+bwGkNMpOzJUATejaF5NIx6fpnaNVomscxdr+wb95JfIiaXpnjYoe5Pcq
ZjZ3dr1ZFCt+nW3q7EHGX7r4dNIeoxhLnHrm+HdvmKOwCqbyazCHFxf2PtP1WKBM
31wCUu2WMsTJRPPA/df304M/zo+aQIzYDU+Jox7E9biFveB0qSJdj5SJ1paFlHFg
3Sd5WoQ6GF33xlMR8gWtqlq5aCGUW7Usn6OcykHTq/r4P7Za3iYRtkVzLfQKr8hb
BV27p7TkHfCNnu7gXw36ls0LVcauWVu0TXt2gSUQce7CzxG1LTjQxrLqembznMIJ
dfF4aYERqksmVt/Vsi0zEdhXRVkWhqwUKw8ytwcPYrO0PSBSRl295ThsRSpFhSct
eJqFR/TNxAo0wK1hoqGZsqdmjmewuSmZ/sErS+Ib/tY9hXZNMPnIMktpilh3sFSd
tVMrXTnNgnA=
=+sRw
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#598841; Package mercurial.
(Mon, 18 Oct 2010 21:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Mon, 18 Oct 2010 21:36:03 GMT) (full text, mbox, link).
Message #17 received at 598841@bugs.debian.org (full text, mbox, reply):
On Sat, Oct 02, 2010 at 12:26:22PM -0300, Wagner Bruna wrote:
> Package: mercurial
> Version: 1.6.2-2
> Severity: important
> Tags: security, fixed-upstream, patch
>
>
> Forwarding this upstream security issue:
>
> http://mercurial.selenic.com/bts/issue2407
>
> A fix is available at:
>
> http://selenic.com/repo/hg-stable/rev/f2937d6492c5
>
> and included in version 1.6.4.
Dear Mercurial maintainers,
this is still unfixed in Squeeze, so this will likely need a
targeted fix for testing or the 1.6.4 version needs a freeze
exception. Please get in touch with the release team.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#598841; Package mercurial.
(Mon, 18 Oct 2010 22:15:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Javi Merino <cibervicho@gmail.com>:
Extra info received and forwarded to list. Copy sent to Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>.
(Mon, 18 Oct 2010 22:15:09 GMT) (full text, mbox, link).
Message #22 received at 598841@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 18/10/10 22:32, Moritz Muehlenhoff wrote:
> On Sat, Oct 02, 2010 at 12:26:22PM -0300, Wagner Bruna wrote:
>> Package: mercurial
>> Version: 1.6.2-2
>> Severity: important
>> Tags: security, fixed-upstream, patch
>>
>>
>> Forwarding this upstream security issue:
>>
>> http://mercurial.selenic.com/bts/issue2407
>>
>> A fix is available at:
>>
>> http://selenic.com/repo/hg-stable/rev/f2937d6492c5
>>
>> and included in version 1.6.4.
>
> Dear Mercurial maintainers,
> this is still unfixed in Squeeze, so this will likely need a
> targeted fix for testing or the 1.6.4 version needs a freeze
> exception. Please get in touch with the release team.
We've contacted the release team and asked them for a freeze exception
on 1.6.4, but haven't got a response yet.
Cheers,
Javi (vicho)
[signature.asc (application/pgp-signature, attachment)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 22 Nov 2010 07:31:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Aug 1 23:32:54 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.