A CVE has been assigned for a security issue fixed in Mercurial 4.4.1: http://openwall.com/lists/oss-security/2017/12/10/5 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
CC'ing Shlomi and the PHP maintainers, because I'm not sure Philippem is available again.
CC: (none) => marja11, php, shlomif
(In reply to Marja van Waes from comment #1) > CC'ing Shlomi and the PHP maintainers, because I'm not sure Philippem is > available again. Sorry, s/PHP/Python/
CC: php => python
Presumably fixed in Cauldron by upgrading to mercurial 4.4.2. I see the mga5 EOL is in 20 days. Can we just upgrade mercurial there too? I don't expect any major breakages.
Version: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
It's probably not worth making a major upgrade for it for Mageia 5, if we can't backport the patch. I haven't looked through the commits to see if I could find the right one or to see how hard it would be to backport.
openSUSE has issued an advisory for this today (December 18): https://lists.opensuse.org/opensuse-updates/2017-12/msg00071.html They have a patch for 3.x (in Leap 42.2).
Advisory: ======================== Updated mercurial package fixes security vulnerability: A specially malformed repository may have caused Git subrepositories to run arbitrary code (CVE-2017-17458). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17458 https://lists.opensuse.org/opensuse-updates/2017-12/msg00071.html ======================== Updated packages in core/updates_testing: ======================== mercurial-3.1.1-5.6.mga5 mercurial-4.1.3-1.2.mga6 from SRPMS: mercurial-3.1.1-5.6.mga5.src.rpm mercurial-4.1.3-1.2.mga6.src.rpm
Assignee: makowski.mageia => qa-bugs
To test normally.
MGA5-32 on Dell Latitude D600 Xfce No installation issues Ref to bug 21502 Comment 2 $ hg config --edit set username hg clone https://bitbucket.org/jthlim/pvrtccompressor warning: bitbucket.org certificate with fingerprint 3f:d3:c5:17:23:3c:cd:f5:2d:17:76:06:93:7e:ee:97:42:21:14:aa not verified (check hostfingerprints or web.cacerts config setting) destination directory: pvrtccompressor requesting all changes adding changesets adding manifests adding file changes added 19 changesets with 74 changes to 28 files updating to branch default 27 files updated, 0 files merged, 0 files removed, 0 files unresolved $ cd pvrtccompressor remove 3 comment lines from file Bitscale.cpp $ hg diff diff -r cf7177748ee0 BitScale.cpp --- a/BitScale.cpp Thu Jan 08 18:37:52 2015 +0800 +++ b/BitScale.cpp Sat Dec 30 16:42:12 2017 +0100 @@ -1,8 +1,6 @@ #include "BitScale.h" -#ifdef _WIN32 -#define constexpr const -#endif + constexpr uint8_t Javelin::Data::BITSCALE_5_TO_8[32] = { 0, 8, 16, 24, 32, 41, 49, 57, 65, 74, $ hg commit -m 'Who cares about Windows anyway?' $ hg log | head -n 5 changeset: 19:5c4ea8252fcb tag: tip user: tester date: Sat Dec 30 16:46:27 2017 +0100 summary: Who cares about Windows anyway? Looks all OK to me.
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OKCC: (none) => herman.viaene
Keywords: (none) => advisoryCC: (none) => davidwhodgins
Thanks for the test procedure Herman. Same test on Mageia 6 x86_64. Validating the update.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0041.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED