[Python-apps-commits] r2355 - in packages/mercurial/branches (4 files)

vt-guest at users.alioth.debian.org vt-guest at users.alioth.debian.org
Tue Feb 10 16:47:18 UTC 2009 

    Date: Tuesday, February 10, 2009 @ 16:47:17
  Author: vt-guest
Revision: 2355

Add mercurial 1.0.1-5.1 from lenny to version control

Added:
  packages/mercurial/branches/lenny/
    (from rev 1692, packages/mercurial/trunk)
  packages/mercurial/branches/lenny/debian/patches/CVE-2008-4297
Modified:
  packages/mercurial/branches/lenny/debian/changelog
  packages/mercurial/branches/lenny/debian/patches/series

Copied: packages/mercurial/branches/lenny (from rev 1692, packages/mercurial/trunk)

Modified: packages/mercurial/branches/lenny/debian/changelog
===================================================================
--- packages/mercurial/trunk/debian/changelog	2008-08-26 13:30:05 UTC (rev 1692)
+++ packages/mercurial/branches/lenny/debian/changelog	2009-02-10 16:47:17 UTC (rev 2355)
@@ -1,3 +1,11 @@
+mercurial (1.0.1-5.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Honor allowpull configuration setting from hgrc on a repository clone to
+    prevent information disclosure (CVE-2008-4297; Closes: #500781).
+
+ -- Nico Golde <nion at debian.org>  Fri, 03 Oct 2008 16:25:13 +0200
+
 mercurial (1.0.1-5) unstable; urgency=low
 
   * Fix debian/copyright (GPL-2 only and not GPL-2+) (Closes: #493967)

Added: packages/mercurial/branches/lenny/debian/patches/CVE-2008-4297
===================================================================
--- packages/mercurial/branches/lenny/debian/patches/CVE-2008-4297	                        (rev 0)
+++ packages/mercurial/branches/lenny/debian/patches/CVE-2008-4297	2009-02-10 16:47:17 UTC (rev 2355)
@@ -0,0 +1,12 @@
+Index: mercurial-1.0.1/mercurial/hgweb/protocol.py
+===================================================================
+--- mercurial-1.0.1.orig/mercurial/hgweb/protocol.py	2008-10-03 16:24:51.000000000 +0200
++++ mercurial-1.0.1/mercurial/hgweb/protocol.py	2008-10-03 16:25:01.000000000 +0200
+@@ -224,5 +224,7 @@
+         os.unlink(tempname)
+ 
+ def stream_out(web, req):
++    if not web.allowpull:
++        return
+     req.respond(HTTP_OK, HGTYPE)
+     streamclone.stream_out(web.repo, req, untrusted=True)

Modified: packages/mercurial/branches/lenny/debian/patches/series
===================================================================
--- packages/mercurial/trunk/debian/patches/series	2008-08-26 13:30:05 UTC (rev 1692)
+++ packages/mercurial/branches/lenny/debian/patches/series	2009-02-10 16:47:17 UTC (rev 2355)
@@ -1,3 +1,4 @@
+CVE-2008-4297
 proposed_upstream__python-module-not-script.patch
 proposed_upstream__extension_syntax.patch
 deb_specific__FAQ_subst.patch

More information about the Python-apps-commits mailing list