Debian Bug report logs - #598841
mercurial fails to verify ssl validity in https connections

version graph

Package: mercurial; Maintainer for mercurial is Debian Python Team <team+python@tracker.debian.org>; Source for mercurial is src:mercurial (PTS, buildd, popcon).

Reported by: Wagner Bruna <wbruna@yahoo.com>

Date: Sat, 2 Oct 2010 15:30:01 UTC

Severity: important

Tags: fixed-upstream, patch, security

Found in version mercurial/1.6.2-2

Fixed in version mercurial/1.6.4-1

Done: Javi Merino <cibervicho@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, wbruna@yahoo.com, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#598841; Package mercurial. (Sat, 02 Oct 2010 15:30:04 GMT) (full text, mbox, link).


Acknowledgement sent to Wagner Bruna <wbruna@yahoo.com>:
New Bug report received and forwarded. Copy sent to wbruna@yahoo.com, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>. (Sat, 02 Oct 2010 15:30:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Wagner Bruna <wbruna@yahoo.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mercurial fails to verify ssl validity in https connections
Date: Sat, 02 Oct 2010 12:26:22 -0300
Package: mercurial
Version: 1.6.2-2
Severity: important
Tags: security, fixed-upstream, patch


Forwarding this upstream security issue:

http://mercurial.selenic.com/bts/issue2407

A fix is available at:

http://selenic.com/repo/hg-stable/rev/f2937d6492c5

and included in version 1.6.4.

-- System Information:
Debian Release: 5.0.6
  APT prefers stable
  APT policy: (500, 'stable'), (200, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mercurial depends on:
ii  libc6                         2.11.2-6   Embedded GNU C Library: Shared lib
ii  mercurial-common              1.6.2-2    scalable distributed version contr
ii  python                        2.5.2-3    An interactive high-level object-o
ii  python-support                1.0.10     automated rebuilding support for P
ii  ucf                           3.0016     Update Configuration File: preserv

mercurial recommends no packages.

Versions of packages mercurial suggests:
ii  emacs                 22.2+2-5           The GNU Emacs editor (metapackage)
ii  kdiff3                0.9.92-2           compares and merges 2 or 3 files o
pn  qct                   <none>             (no description available)
ii  tk8.4 [wish]          8.4.19-2           Tk toolkit for Tcl and X11, v8.4 -
ii  tk8.5 [wish]          8.5.3-4            Tk toolkit for Tcl and X11, v8.5 -
ii  vim                   1:7.1.314-3+lenny2 Vi IMproved - enhanced vi editor
ii  vim-gtk [vim]         1:7.1.314-3+lenny2 Vi IMproved - enhanced vi editor -

-- no debconf information




Added tag(s) pending. Request was from Javi Merino <cibervicho@gmail.com> to control@bugs.debian.org. (Mon, 04 Oct 2010 13:09:05 GMT) (full text, mbox, link).


Reply sent to Javi Merino <cibervicho@gmail.com>:
You have taken responsibility. (Tue, 12 Oct 2010 21:31:46 GMT) (full text, mbox, link).


Notification sent to Wagner Bruna <wbruna@yahoo.com>:
Bug acknowledged by developer. (Tue, 12 Oct 2010 21:31:46 GMT) (full text, mbox, link).


Message #12 received at 598841-close@bugs.debian.org (full text, mbox, reply):

From: Javi Merino <cibervicho@gmail.com>
To: 598841-close@bugs.debian.org
Subject: Bug#598841: fixed in mercurial 1.6.4-1
Date: Tue, 12 Oct 2010 21:17:23 +0000
Source: mercurial
Source-Version: 1.6.4-1

We believe that the bug you reported is fixed in the latest version of
mercurial, which is due to be installed in the Debian FTP archive:

mercurial-common_1.6.4-1_all.deb
  to main/m/mercurial/mercurial-common_1.6.4-1_all.deb
mercurial_1.6.4-1.debian.tar.gz
  to main/m/mercurial/mercurial_1.6.4-1.debian.tar.gz
mercurial_1.6.4-1.dsc
  to main/m/mercurial/mercurial_1.6.4-1.dsc
mercurial_1.6.4-1_amd64.deb
  to main/m/mercurial/mercurial_1.6.4-1_amd64.deb
mercurial_1.6.4.orig.tar.gz
  to main/m/mercurial/mercurial_1.6.4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 598841@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Javi Merino <cibervicho@gmail.com> (supplier of updated mercurial package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 04 Oct 2010 07:37:33 -0500
Source: mercurial
Binary: mercurial-common mercurial
Architecture: all amd64 source
Version: 1.6.4-1
Distribution: unstable
Urgency: low
Maintainer: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
Changed-By: Javi Merino <cibervicho@gmail.com>
Closes: 598841 598850
Description: 
 mercurial-common - scalable distributed version control system (common files)
 mercurial  - scalable distributed version control system
Changes: 
 mercurial (1.6.4-1) unstable; urgency=low
 .
   * New upstream release 1.6.4 (Closes: #598850)
   * Verify ssl validity in https connections (Closes: #598841)
Checksums-Sha1: 
 a9b464ac47bb27fd54716c15dabf20bc17f6080f 2141 mercurial_1.6.4-1.dsc
 13e9dcf64ce5228b6abf9ae402966b1129f0889c 2240810 mercurial_1.6.4.orig.tar.gz
 8fdb9e50add959cadd03a942525aaad77a6beb19 32548 mercurial_1.6.4-1.debian.tar.gz
 6e27f2b51408dc735671d3592a00b8fdc154cecc 1336342 mercurial-common_1.6.4-1_all.deb
 2cea62261483e2001bf95f4e291f19fdb9e185ba 77364 mercurial_1.6.4-1_amd64.deb
Checksums-Sha256: 
 fe04ad87d574174b9ae648af2f5b6332f7636cf1589860070efcf58f7ce76032 2141 mercurial_1.6.4-1.dsc
 1e8edbbf8c495c095a3f086028e5f2b0440ce218eac9056c0b477b4192dc8811 2240810 mercurial_1.6.4.orig.tar.gz
 a466b2fe1e3d1db00ed987867cb69267430c2a192bcdd3152c4a1abf295cb851 32548 mercurial_1.6.4-1.debian.tar.gz
 3bb926483ab268aac93d9c7b5bcdb7f91fc0bdca4f1a7c31c9b2ef310c32a52a 1336342 mercurial-common_1.6.4-1_all.deb
 5236fd2e607eae07f09da4be02e8bdf38b7bfc68c125efa4670958b198083f60 77364 mercurial_1.6.4-1_amd64.deb
Files: 
 fa0710b0296d4ef70933c5af08bb6a35 2141 vcs optional mercurial_1.6.4-1.dsc
 657dd6aff80aa9a3b187652a635544d0 2240810 vcs optional mercurial_1.6.4.orig.tar.gz
 e87fe3fe034e702db6e7e931a8b77639 32548 vcs optional mercurial_1.6.4-1.debian.tar.gz
 b409b5a31d399a16caf34015f33a863c 1336342 vcs optional mercurial-common_1.6.4-1_all.deb
 a768087b488913f94288c6201d444209 77364 vcs optional mercurial_1.6.4-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIVAwUBTLTOF9T1zgD6DpudAQhhHQ/+JMQGXbcw6I1ory4ZyyaGcs3s1v8HE9z2
bbUiJ5EuI7joTgi2UbsIxhFrTpHS/V5OJk+V4AriR+mt2kK8jqH8o5L8M+uUbkvl
33Zb3H9lFLFa2rac9G3nv0k+82WP46rdcSkcTYlrMfJ+lwlewKBR3t6M7fvKMjuV
2LRr61RcY77/NvWlaz1ivUPRrBIW1+Lh65yZPS98xzNqVk8vK6kGCQ+TPn512lSc
WgeUHWX+bwGkNMpOzJUATejaF5NIx6fpnaNVomscxdr+wb95JfIiaXpnjYoe5Pcq
ZjZ3dr1ZFCt+nW3q7EHGX7r4dNIeoxhLnHrm+HdvmKOwCqbyazCHFxf2PtP1WKBM
31wCUu2WMsTJRPPA/df304M/zo+aQIzYDU+Jox7E9biFveB0qSJdj5SJ1paFlHFg
3Sd5WoQ6GF33xlMR8gWtqlq5aCGUW7Usn6OcykHTq/r4P7Za3iYRtkVzLfQKr8hb
BV27p7TkHfCNnu7gXw36ls0LVcauWVu0TXt2gSUQce7CzxG1LTjQxrLqembznMIJ
dfF4aYERqksmVt/Vsi0zEdhXRVkWhqwUKw8ytwcPYrO0PSBSRl295ThsRSpFhSct
eJqFR/TNxAo0wK1hoqGZsqdmjmewuSmZ/sErS+Ib/tY9hXZNMPnIMktpilh3sFSd
tVMrXTnNgnA=
=+sRw
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#598841; Package mercurial. (Mon, 18 Oct 2010 21:36:03 GMT) (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>. (Mon, 18 Oct 2010 21:36:03 GMT) (full text, mbox, link).


Message #17 received at 598841@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Wagner Bruna <wbruna@yahoo.com>
Cc: 598841@bugs.debian.org
Subject: Re: mercurial fails to verify ssl validity in https connections
Date: Mon, 18 Oct 2010 23:32:49 +0200
On Sat, Oct 02, 2010 at 12:26:22PM -0300, Wagner Bruna wrote:
> Package: mercurial
> Version: 1.6.2-2
> Severity: important
> Tags: security, fixed-upstream, patch
> 
> 
> Forwarding this upstream security issue:
> 
> http://mercurial.selenic.com/bts/issue2407
> 
> A fix is available at:
> 
> http://selenic.com/repo/hg-stable/rev/f2937d6492c5
> 
> and included in version 1.6.4.

Dear Mercurial maintainers,
this is still unfixed in Squeeze, so this will likely need a
targeted fix for testing or the 1.6.4 version needs a freeze
exception. Please get in touch with the release team.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>:
Bug#598841; Package mercurial. (Mon, 18 Oct 2010 22:15:09 GMT) (full text, mbox, link).


Acknowledgement sent to Javi Merino <cibervicho@gmail.com>:
Extra info received and forwarded to list. Copy sent to Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>. (Mon, 18 Oct 2010 22:15:09 GMT) (full text, mbox, link).


Message #22 received at 598841@bugs.debian.org (full text, mbox, reply):

From: Javi Merino <cibervicho@gmail.com>
To: Moritz Muehlenhoff <jmm@inutil.org>, 598841@bugs.debian.org
Cc: Wagner Bruna <wbruna@yahoo.com>
Subject: Re: Bug#598841: mercurial fails to verify ssl validity in https connections
Date: Mon, 18 Oct 2010 23:09:59 +0100
[Message part 1 (text/plain, inline)]
On 18/10/10 22:32, Moritz Muehlenhoff wrote:
> On Sat, Oct 02, 2010 at 12:26:22PM -0300, Wagner Bruna wrote:
>> Package: mercurial
>> Version: 1.6.2-2
>> Severity: important
>> Tags: security, fixed-upstream, patch
>>
>>
>> Forwarding this upstream security issue:
>>
>> http://mercurial.selenic.com/bts/issue2407
>>
>> A fix is available at:
>>
>> http://selenic.com/repo/hg-stable/rev/f2937d6492c5
>>
>> and included in version 1.6.4.
> 
> Dear Mercurial maintainers,
> this is still unfixed in Squeeze, so this will likely need a
> targeted fix for testing or the 1.6.4 version needs a freeze
> exception. Please get in touch with the release team.

We've contacted the release team and asked them for a freeze exception
on 1.6.4, but haven't got a response yet.

Cheers,
Javi (vicho)

[signature.asc (application/pgp-signature, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 22 Nov 2010 07:31:26 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Aug 1 23:32:54 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.