From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 117406 invoked by alias); 20 Apr 2016 08:59:51 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 117395 invoked by uid 89); 20 Apr 2016 08:59:50 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-96.6 required=5.0 tests=BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_PBL,RDNS_DYNAMIC autolearn=ham version=3.3.2 spammy=H*c:HgH, Hx-languages-length:943, H*MI:sk:vz137qh, H*i:sk:vz137qh X-HELO: calimero.vinschen.de Received: from ipbcc0d020.dynamic.kabel-deutschland.de (HELO calimero.vinschen.de) (188.192.208.32) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 20 Apr 2016 08:59:40 +0000 Received: by calimero.vinschen.de (Postfix, from userid 500) id 32577A804BC; Wed, 20 Apr 2016 10:59:38 +0200 (CEST) Date: Wed, 20 Apr 2016 09:00:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Cc: Jari Aalto Subject: Re: Security update needed for mercurial Message-ID: <20160420085938.GA16548@calimero.vinschen.de> Reply-To: cygwin@cygwin.com Mail-Followup-To: cygwin@cygwin.com, Jari Aalto References: <86h9fjdhkf.fsf@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-SW-Source: 2016-04/txt/msg00489.txt.bz2 --opJtzjQTFsWo+cga Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 948 On Apr 19 17:30, Andy Moreton wrote: > On Sat 02 Apr 2016, Andy Moreton wrote: >=20 > > Hi, > > > > The current package is for mercurial 3.5.1, but upstream have released Actually the Cygwin mercurial package is at 3.6.3. > > 3.7.3 as a security release, with fixes for: > > > > CVE-2016-3630 Mercurial: remote code execution in binary delta decoding > > CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos > > CVE-2016-3069 Mercurial: arbitrary code execution when converting Git r= epos > > > > Release announcement is here: > > http://permalink.gmane.org/gmane.comp.version-control.mercurial.general= /37523 > > > > Can the cygwin mercurial maintainer please issue an updated package. > > >=20 > Is the mercurial maintainer still reading the list ? I CCed him. Thanks, Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --opJtzjQTFsWo+cga Content-Type: application/pgp-signature; name="signature.asc" Content-length: 819 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXF0T6AAoJEPU2Bp2uRE+gWF0P/3tuUdOpzIpVHwawaDXDfpF+ 1sxpj7hrxe0If1Q9lb7OseR87HLW7OJGDbszrgCYWHStFz9Q4jhicJcOE3ZpZHL5 6f8CP2o5klZuP6x1UZuuPiojoV4ahiseMAyvqcvHhZlqrbY1jrboF+37mAHPoYRu 4M2lTo1uf5U9uZVIpUP2uVYmFgwMO23F+McDRugepU3oNBHPQddxPc5L66egkAGx hnnYwle+uYH8x8xpzwNMepQ+M9arSeugT3A6ePrunlCWf9eIhv0jLQjNDfbKoae0 uGFG6D1yJ0HfhRjR+ivpheID//Y5XiriWYkXmcWQQySLN7d3rtwbxJ05cu2Uchty YFbuNrrJoCb8E1aBJgJet6HSha5R2eqyBi2xDAwgmLQGJE5FIX8Dch75eGQ7OQ9t cdwjjv2XmnfhwWQPNe5JW96yKwPBaZ1jFHDxZqscRve/uBxhiw2UuzO5GsVDW/Qo AgRxASbi2cn+tukHgvLtRMlMFyR0Ja8YHIJDd0ozKAtVeKl1oHmJc70BZizHt30r 73ksZRcPQ9pIys6+1LW+l+VJYzxPD7UYWgLWqVz+KQ3eCmr3RFtK+bi43RdnPu0W J+x/+qwN/ZdXX2kj/B9UnXJswzqisSquFuwV39e7KyPOtSKNC3FPZNgiluyaFy1+ 3SXvWu4ljl2QrV9FPHR7 =Ij9v -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga--