#3 Update to 4.5.3, CVE-2018-1000132
Closed a year ago by pstodulk. Opened a year ago by pcahyna.
rpms/ pcahyna/mercurial 453update  into  master

file modified
+1

@@ -59,3 +59,4 @@ 

  /mercurial-4.2.1.tar.gz

  /mercurial-4.2.3.tar.gz

  /mercurial-4.4.2.tar.gz

+ /mercurial-4.5.3.tar.gz

file modified
+7 -3

@@ -2,8 +2,8 @@ 

  

  Summary: Mercurial -- a distributed SCM

  Name: mercurial

- Version: 4.4.2

- Release: 4%{?dist}

+ Version: 4.5.3

+ Release: 1%{?dist}

  

  # Release: 1.rc1%{?dist}

  

@@ -128,7 +128,6 @@ 

  %doc CONTRIBUTORS COPYING doc/README doc/hg*.txt doc/hg*.html *.cgi contrib/*.fcgi contrib/*.wsgi

  %doc %attr(644,root,root) %{_mandir}/man?/hg*.gz

  %doc %attr(644,root,root) contrib/*.svg

- %{_datadir}/zsh/site-functions/_mercurial

  %{_bindir}/hg-ssh

  %{_datadir}/bash-completion/

  %dir %{_datadir}/zsh/

@@ -151,6 +150,11 @@ 

  ##cd tests && %{__python} run-tests.py

  

  %changelog

+ * Wed Apr 25 2018 Pavel Cahyna <pcahyna@redhat.com> - 4.5.3-1

+ - Update to 4.5.3

+ - Resolves: CVE-2018-1000132

+ - Remove an unneeded file entry for zsh/site-functions/_mercurial

+ 

  * Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 4.4.2-4

  - Escape macros in %%changelog

  

file modified
+1 -1

@@ -1,1 +1,1 @@ 

- SHA512 (mercurial-4.4.2.tar.gz) = 3d1d103689eac4f50cc1005be44144b37d75ebfac3ff3b4fc90d6f41fbee46e107a168d04f2c366ce7cca2733ea4e5b5127df462af8e253f61a72f8938833993

+ SHA512 (mercurial-4.5.3.tar.gz) = 9c23ffefb0a194b5a88ee783186347c21e7d973524ba40119439702953b35b01ad6fbc32ce09ae169f1020963e92312a39321b1da3ffe06db1d44158761abbec

Update to 4.5.3
Resolves: CVE-2018-1000132
Remove an unneeded (since 7abb7b6) file entry for zsh/site-functions/_mercurial

ping @nbecker @pstodulk @kiilerix
Mercurial upstream is shortly approaching 4.7 already.

Shall I provide PR for 4.7 once it is released, or are there some other plans?

For mercurial v4.7 some packages will be probably broken (at least git-remote-hg). Mercurial v4.5.3 (even v4.6) should be safe for git-remote-hg. Not sure what about other packages. These components requires mercurial:

  • git-cinnabar
  • gitifyhg
  • git-remote-hg
  • golang
  • gwsmhg
  • hg-git
  • hgsubversion
  • hgsvn
  • hgview
  • python-anyvc
  • python-hgapi
  • python-hghooks
  • python-vcstools
  • python-wstool
  • pyvcs
  • qct
  • rabbitvcs
  • rbm
  • tortoisehg
  • trac-mercurial-plugin

I will send email on fedora devel to ask the others. As the beta is close, I would rebase just to v4.5.3 (or maybe v4.6) now and after the F29 will be branched we will rebase rawhide to v4.7 to give more time to the others.

@nbecker, @kiilerix : What do you think about that?

Mercurial has been rebased to v4.5.3 with additional changes. I am closing this PR.

Pull-Request has been closed by pstodulk

a year ago