PR#3: Update to 4.5.3, CVE-2018-1000132 - rpms/mercurial

rpms / mercurial

#3 Update to 4.5.3, CVE-2018-1000132

Closed 5 years ago by pstodulk. Opened 6 years ago by pcahyna.

rpms/ pcahyna/mercurial 453update into master

Pavel Cahyna • 6 years ago

1327371

.gitignore

file modified

		`@@ -59,3 +59,4 @@`
		`/mercurial-4.2.1.tar.gz`
		`/mercurial-4.2.3.tar.gz`
		`/mercurial-4.4.2.tar.gz`
		`+ /mercurial-4.5.3.tar.gz`

mercurial.spec

file modified

+7 -3

		`@@ -2,8 +2,8 @@`

		`Summary: Mercurial -- a distributed SCM`
		`Name: mercurial`
		`- Version: 4.4.2`
		`- Release: 4%{?dist}`
		`+ Version: 4.5.3`
		`+ Release: 1%{?dist}`

		`# Release: 1.rc1%{?dist}`

		`@@ -128,7 +128,6 @@`
		`%doc CONTRIBUTORS COPYING doc/README doc/hg.txt doc/hg.html .cgi contrib/.fcgi contrib/*.wsgi`
		`%doc %attr(644,root,root) %{_mandir}/man?/hg*.gz`
		`%doc %attr(644,root,root) contrib/*.svg`
		`- %{_datadir}/zsh/site-functions/_mercurial`
		`%{_bindir}/hg-ssh`
		`%{_datadir}/bash-completion/`
		`%dir %{_datadir}/zsh/`
		`@@ -151,6 +150,11 @@`
		`##cd tests && %{__python} run-tests.py`

		`%changelog`
		`+ * Wed Apr 25 2018 Pavel Cahyna <pcahyna@redhat.com> - 4.5.3-1`
		`+ - Update to 4.5.3`
		`+ - Resolves: CVE-2018-1000132`
		`+ - Remove an unneeded file entry for zsh/site-functions/_mercurial`
		`+`
		`* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.4.2-4`
		`- Escape macros in %%changelog`

sources

file modified

+1 -1

		`@@ -1,1 +1,1 @@`
		`- SHA512 (mercurial-4.4.2.tar.gz) = 3d1d103689eac4f50cc1005be44144b37d75ebfac3ff3b4fc90d6f41fbee46e107a168d04f2c366ce7cca2733ea4e5b5127df462af8e253f61a72f8938833993`
		`+ SHA512 (mercurial-4.5.3.tar.gz) = 9c23ffefb0a194b5a88ee783186347c21e7d973524ba40119439702953b35b01ad6fbc32ce09ae169f1020963e92312a39321b1da3ffe06db1d44158761abbec`

pcahyna commented 6 years ago

Update to 4.5.3
Resolves: CVE-2018-1000132
Remove an unneeded (since 7abb7b6) file entry for zsh/site-functions/_mercurial

skisela commented 5 years ago

ping @nbecker @pstodulk @kiilerix
Mercurial upstream is shortly approaching 4.7 already.

Shall I provide PR for 4.7 once it is released, or are there some other plans?

pstodulk commented 5 years ago

For mercurial v4.7 some packages will be probably broken (at least git-remote-hg). Mercurial v4.5.3 (even v4.6) should be safe for git-remote-hg. Not sure what about other packages. These components requires mercurial:

git-cinnabar
gitifyhg
git-remote-hg
golang
gwsmhg
hg-git
hgsubversion
hgsvn
hgview
python-anyvc
python-hgapi
python-hghooks
python-vcstools
python-wstool
pyvcs
qct
rabbitvcs
rbm
tortoisehg
trac-mercurial-plugin

I will send email on fedora devel to ask the others. As the beta is close, I would rebase just to v4.5.3 (or maybe v4.6) now and after the F29 will be branched we will rebase rawhide to v4.7 to give more time to the others.

@nbecker, @kiilerix : What do you think about that?

Edited 5 years ago by pstodulk

pstodulk commented 5 years ago

Mercurial has been rebased to v4.5.3 with additional changes. I am closing this PR.