* Updated package needed for mercurial 3.7.3 security update
@ 2016-04-02 17:52 Andy Moreton
2016-04-19 18:22 ` Security update needed for mercurial Andy Moreton
0 siblings, 1 reply; 7+ messages in thread
From: Andy Moreton @ 2016-04-02 17:52 UTC (permalink / raw)
To: cygwin
Hi,
The current package is for mercurial 3.5.1, but upstream have released
3.7.3 as a security release, with fixes for:
CVE-2016-3630 Mercurial: remote code execution in binary delta decoding
CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos
CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos
Release announcement is here:
http://permalink.gmane.org/gmane.comp.version-control.mercurial.general/37523
Can the cygwin mercurial maintainer please issue an updated package.
Thanks,
AndyM
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: Security update needed for mercurial
2016-04-02 17:52 Updated package needed for mercurial 3.7.3 security update Andy Moreton
@ 2016-04-19 18:22 ` Andy Moreton
2016-04-20 9:00 ` Corinna Vinschen
0 siblings, 1 reply; 7+ messages in thread
From: Andy Moreton @ 2016-04-19 18:22 UTC (permalink / raw)
To: cygwin
On Sat 02 Apr 2016, Andy Moreton wrote:
> Hi,
>
> The current package is for mercurial 3.5.1, but upstream have released
> 3.7.3 as a security release, with fixes for:
>
> CVE-2016-3630 Mercurial: remote code execution in binary delta decoding
> CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos
> CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos
>
> Release announcement is here:
> http://permalink.gmane.org/gmane.comp.version-control.mercurial.general/37523
>
> Can the cygwin mercurial maintainer please issue an updated package.
>
Is the mercurial maintainer still reading the list ?
AndyM
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: Security update needed for mercurial
2016-04-19 18:22 ` Security update needed for mercurial Andy Moreton
@ 2016-04-20 9:00 ` Corinna Vinschen
2016-04-20 17:08 ` Security update needed for mercurial (upload error: doesn't follow naming convention) Jari Aalto
0 siblings, 1 reply; 7+ messages in thread
From: Corinna Vinschen @ 2016-04-20 9:00 UTC (permalink / raw)
To: cygwin; +Cc: Jari Aalto
[-- Attachment #1: Type: text/plain, Size: 971 bytes --]
On Apr 19 17:30, Andy Moreton wrote:
> On Sat 02 Apr 2016, Andy Moreton wrote:
>
> > Hi,
> >
> > The current package is for mercurial 3.5.1, but upstream have released
Actually the Cygwin mercurial package is at 3.6.3.
> > 3.7.3 as a security release, with fixes for:
> >
> > CVE-2016-3630 Mercurial: remote code execution in binary delta decoding
> > CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos
> > CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos
> >
> > Release announcement is here:
> > http://permalink.gmane.org/gmane.comp.version-control.mercurial.general/37523
> >
> > Can the cygwin mercurial maintainer please issue an updated package.
> >
>
> Is the mercurial maintainer still reading the list ?
I CCed him.
Thanks,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Security update needed for mercurial (upload error: doesn't follow naming convention)
2016-04-20 9:00 ` Corinna Vinschen
@ 2016-04-20 17:08 ` Jari Aalto
2016-04-20 17:14 ` Corinna Vinschen
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Jari Aalto @ 2016-04-20 17:08 UTC (permalink / raw)
To: cygwin
> 3.7.3 as a security release, with fixes for:
>
> CVE-2016-3630 Mercurial: remote code execution in binary delta decoding
> CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos
> CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos
New release uploaded, but I got this message (x64)?
ERROR: tar file 'mercurial-3.7.3.tar.gz' in package 'mercurial' doesn't follow naming convention
ERROR: error while reading uploaded packages for Jari Aalto
Jari
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: Security update needed for mercurial (upload error: doesn't follow naming convention)
2016-04-20 17:08 ` Security update needed for mercurial (upload error: doesn't follow naming convention) Jari Aalto
@ 2016-04-20 17:14 ` Corinna Vinschen
2016-04-20 17:22 ` Jon Turney
2016-04-20 18:16 ` Warren Young
2 siblings, 0 replies; 7+ messages in thread
From: Corinna Vinschen @ 2016-04-20 17:14 UTC (permalink / raw)
To: cygwin; +Cc: Jari Aalto
[-- Attachment #1: Type: text/plain, Size: 817 bytes --]
On Apr 20 19:56, Jari Aalto wrote:
> > 3.7.3 as a security release, with fixes for:
> >
> > CVE-2016-3630 Mercurial: remote code execution in binary delta decoding
> > CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos
> > CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos
>
> New release uploaded, but I got this message (x64)?
>
> ERROR: tar file 'mercurial-3.7.3.tar.gz' in package 'mercurial' doesn't follow naming convention
> ERROR: error while reading uploaded packages for Jari Aalto
Our new calm tool (courtesy Jon Turney) now checks packages for
validity. Shouldn't that be 3.7.3-1?
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Security update needed for mercurial (upload error: doesn't follow naming convention)
2016-04-20 17:08 ` Security update needed for mercurial (upload error: doesn't follow naming convention) Jari Aalto
2016-04-20 17:14 ` Corinna Vinschen
@ 2016-04-20 17:22 ` Jon Turney
2016-04-20 18:16 ` Warren Young
2 siblings, 0 replies; 7+ messages in thread
From: Jon Turney @ 2016-04-20 17:22 UTC (permalink / raw)
To: cygwin; +Cc: Jari Aalto
On 20/04/2016 17:56, Jari Aalto wrote:
>> 3.7.3 as a security release, with fixes for:
>>
>> CVE-2016-3630 Mercurial: remote code execution in binary delta decoding
>> CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos
>> CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos
>
> New release uploaded, but I got this message (x64)?
Thanks.
> ERROR: tar file 'mercurial-3.7.3.tar.gz' in package 'mercurial' doesn't follow naming convention
> ERROR: error while reading uploaded packages for Jari Aalto
Yes, you seem to have uploaded:
mercurial-3.7.3.tar.gz - upstream tar file
mercurial-3.7.3-1.tar.xz - cygwin binary package
mercurial-3.7.3-1-src.tar.xz - cygwin source package containing the
upstream tar file and build script
The behaviour of upset was to accept mercurial-3.7.3.tar.gz as a binary
package file, fortunately of a version preceding 3.7.3-1.
This was never correct, so it's now reported as an error.
I have removed the upstream tar files to allow the upload to proceed.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Security update needed for mercurial (upload error: doesn't follow naming convention)
2016-04-20 17:08 ` Security update needed for mercurial (upload error: doesn't follow naming convention) Jari Aalto
2016-04-20 17:14 ` Corinna Vinschen
2016-04-20 17:22 ` Jon Turney
@ 2016-04-20 18:16 ` Warren Young
2 siblings, 0 replies; 7+ messages in thread
From: Warren Young @ 2016-04-20 18:16 UTC (permalink / raw)
To: The Cygwin Mailing List
On Apr 20, 2016, at 10:56 AM, Jari Aalto <jari.aalto@cante.net> wrote:
>
>> 3.7.3 as a security release, with fixes for:
>>
>> CVE-2016-3630 Mercurial: remote code execution in binary delta decoding
>> CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos
>> CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos
>
> New release uploaded, but I got this message (x64)?
>
> ERROR: tar file 'mercurial-3.7.3.tar.gz' in package 'mercurial' doesn't follow naming convention
> ERROR: error while reading uploaded packages for Jari Aalto
I take from that that you are not using cygport for that package? This sort of detail is one of the things that cygport takes care of for you.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-04-20 18:07 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-04-02 17:52 Updated package needed for mercurial 3.7.3 security update Andy Moreton
2016-04-19 18:22 ` Security update needed for mercurial Andy Moreton
2016-04-20 9:00 ` Corinna Vinschen
2016-04-20 17:08 ` Security update needed for mercurial (upload error: doesn't follow naming convention) Jari Aalto
2016-04-20 17:14 ` Corinna Vinschen
2016-04-20 17:22 ` Jon Turney
2016-04-20 18:16 ` Warren Young
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).