Ubuntu has issued an advisory on August 6: https://usn.ubuntu.com/4086-1/ The issue is fixed upstream in 4.9. Mageia 6 and Mageia 7 are also affected.
Whiteboard: (none) => MGA7TOO, MGA6TOOStatus comment: (none) => Fixed upstream in 4.9
Shlomi, I see you updated Mageia 7 to 4.9.1. Cauldron still has 4.7.2, and Mageia 6 also needs an update. mercurial-4.9.1-1.mga7
(In reply to David Walser from comment #1) > Shlomi, I see you updated Mageia 7 to 4.9.1. Cauldron still has 4.7.2, and > Mageia 6 also needs an update. > > mercurial-4.9.1-1.mga7 Cauldron is now on hg 5.1.
(In reply to Shlomi Fish from comment #2) > (In reply to David Walser from comment #1) > > Shlomi, I see you updated Mageia 7 to 4.9.1. Cauldron still has 4.7.2, and > > Mageia 6 also needs an update. > > > > mercurial-4.9.1-1.mga7 > > Cauldron is now on hg 5.1. Are you sure it actually built? Sophie sees a SRPM for 5.1 but only sees 4.7.2 for binary RPMS. (note to self, Shlomi updated Mageia 6: mercurial-4.9.1-1.mga6 )
Oh I see 5.1 on pkgsubmit. Sophie is slow. Thanks.
Version: Cauldron => 7Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
Advisory: ======================== Updated mercurial package fixes security vulnerability: It was discovered that Mercurial mishandled symlinks in subrepositories. An attacker could use this vulnerability to write arbitrary files to the target’s filesystem (CVE-2019-3902). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3902 https://usn.ubuntu.com/4086-1/ ======================== Updated packages in core/updates_testing: ======================== mercurial-4.9.1-1.mga6 mercurial-4.9.1-1.mga7 from SRPMS: mercurial-4.9.1-1.mga6.src.rpm mercurial-4.9.1-1.mga7.src.rpm
Assignee: shlomif => qa-bugsCC: (none) => shlomif
Installed and tested without issues. Tested on several existing and new, remote and local repositories. Tests included init, clone, pull, push, status, verify, add, commit, summary, etc. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.1.20-desktop-2.mga7 #1 SMP Fri Jul 26 23:04:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q mercurial mercurial-4.9.1-1.mga7
Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OKCC: (none) => mageia
MGA6-64 Plasma on Lenovo B50 No installation issues Ref to bug 22895 Comment 5 and 7for tests. As responses of the progam are a little different, I show the tests completely here: $ hg version Mercurial Distributed SCM (version 4.9.1) (see https://mercurial-scm.org for more information) Copyright (C) 2005-2019 Matt Mackall and others This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. $ cd Documenten/ $ mkdir qa $ mkdir qa/hg $ cd qa/hg $ hg init $ ls -a .hg ./ ../ 00changelog.i cache/ requires store/ wcache/ $ cd .hg $ hg clone http://selenic.com/hg mercurial-repo real URL is https://www.mercurial-scm.org/repo/hg/ requesting all changes adding changesets adding manifests adding file changes added 42845 changesets with 81230 changes to 3381 files (+1 heads) new changesets 9117c6561b0b:b22a8dadc6f5 updating to bookmark @ 1989 files updated, 0 files merged, 0 files removed, 0 files unresolved $ ls 00changelog.i cache/ mercurial-repo/ requires store/ wcache/ $ cd mercurial-repo/ $ ls contrib/ CONTRIBUTORS doc/ hgdemandimport/ hgext/ hgweb.cgi* Makefile README.rst rust/ tests/ CONTRIBUTING COPYING hg* hgeditor* hgext3rd/ i18n/ mercurial/ relnotes/ setup.py $ du -hs 107M . $ hg sum parent: 42842:2c74337e6483 remotefilelog: reduce probability of race-condition in remotefilelog tests branch: default bookmarks: *@ commit: (clean) update: (current) $ hg add $ hg parents changeset: 42842:2c74337e6483 bookmark: @ user: Boris Feld <boris.feld@octobus.net> date: Wed Aug 28 16:01:16 2019 +0200 summary: remotefilelog: reduce probability of race-condition in remotefilelog tests $ hg help Mercurial Distributed SCM list of commands: Repository creation: clone make a copy of an existing repository init create a new repository in the given directory and a lot more .... $ hg config --edit that would allow to change password e.g. All seems OK.
Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA7-64-OK MGA6-64-OKCC: (none) => herman.viaene
Keywords: (none) => advisory, validated_updateCC: (none) => tmb, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0250.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Hmmm! this update broke tortoisehg now, see bug 25455
CC: (none) => geiger.david68210