Update py-mercurial to 3.7.3.
This is an out of cycle release to address three security issues:
CVE-2016-3630 Mercurial: remote code execution in binary delta decoding
Mercurial prior to 3.7.3 contained two bounds-checking errors in its binary delta decoder that may be exploitable via clone, push, or pull.
CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos
Mercurial prior to 3.7.3 allowed URLs for Git subrepos that could result in arbitrary code execution on clone. This is a further side-effect of Git CVE-2015-7545. Reported by Blake Burkhart.
CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos
Mercurial prior to 3.7.3 allowed arbitrary code execution when converting Git repos with hostile names. This could affect automated conversion services. Reported by Blake Burkhart.
bdiff: (pure) support array.array arrays (issue5130)
convert: add new, non-clowny interface for shelling out to git (SEC)
convert: dead code removal - old git calling functions (SEC)
convert: rewrite calls to Git to use the new shelling mechanism (SEC)
convert: rewrite gitpipe to use common.commandline (SEC)
convert: test for shell injection in git calls (SEC)
files: don't recurse into subrepos without a path or -S (issue5127)
hg: perform update after pulling during clone with share (issue5103)
mq: restrict generated patch name to 75 characters (issue5117)
obsolete: fix n^2 marker computation behavior
parsers: detect short records (SEC)
parsers: fix list sizing rounding error (SEC)
streamclone: fix error when store files grow while stream cloning
subrepo: adapt to git's recent renames-by-default
subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC)
(wiz)
diff -r1.31 -r1.32 pkgsrc/devel/py-mercurial/Makefile.version| @@ -1,15 +1,15 @@ | @@ -1,15 +1,15 @@ | |||
| 1 | # $NetBSD: Makefile.version,v 1.31 2016/03/02 19:31:13 wiz Exp $ | 1 | # $NetBSD: Makefile.version,v 1.32 2016/04/08 20:57:36 wiz Exp $ | |
| 2 | 2 | |||
| 3 | VERSION= 3.7.2 | 3 | VERSION= 3.7.3 | |
| 4 | 4 | |||
| 5 | PYTHON_VERSIONS_INCOMPATIBLE= 33 34 35 # not yet ported as of 3.4.1 | 5 | PYTHON_VERSIONS_INCOMPATIBLE= 33 34 35 # not yet ported as of 3.4.1 | |
| 6 | # see also http://mercurial.selenic.com/wiki/SupportedPythonVersions | 6 | # see also http://mercurial.selenic.com/wiki/SupportedPythonVersions | |
| 7 | # 3.x support is not planned for the near future | 7 | # 3.x support is not planned for the near future | |
| 8 | # | 8 | # | |
| 9 | # the following setup argument was requested when compiling | 9 | # the following setup argument was requested when compiling | |
| 10 | # for python-3.x | 10 | # for python-3.x | |
| 11 | #.include "../../lang/python/pyversion.mk" | 11 | #.include "../../lang/python/pyversion.mk" | |
| 12 | # | 12 | # | |
| 13 | #.if "${PYPKGPREFIX}" != "py27" | 13 | #.if "${PYPKGPREFIX}" != "py27" | |
| 14 | #PYSETUPARGS+= --c2to3 | 14 | #PYSETUPARGS+= --c2to3 | |
| 15 | #.endif | 15 | #.endif |
| @@ -1,8 +1,8 @@ | @@ -1,8 +1,8 @@ | |||
| 1 | $NetBSD: distinfo,v 1.32 2016/03/02 19:31:13 wiz Exp $ | 1 | $NetBSD: distinfo,v 1.33 2016/04/08 20:57:36 wiz Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (mercurial-3.7.2.tar.gz) = d684386cfe7a1f4170243ce51c78e64ee1cd8d75 | 3 | SHA1 (mercurial-3.7.3.tar.gz) = e3bcabc2fb119e61235ef2b714fc536142ddc01b | |
| 4 | RMD160 (mercurial-3.7.2.tar.gz) = ac59bdef478819f25124035ae55d28fd121128ab | 4 | RMD160 (mercurial-3.7.3.tar.gz) = 720aee6d31efabc24163e727c890e337d3568984 | |
| 5 | SHA512 (mercurial-3.7.2.tar.gz) = 573b35052ec50f4672cdd5afd93080edc864deb854b890c8cedba53c40d6d3a37a560e364b94b819cfc6d9fc5c07c0411a13167f0888007e5c9366bc94154306 | 5 | SHA512 (mercurial-3.7.3.tar.gz) = 7f9f97229e40c7092c16ccf227b19a08a9839d8ce19a9d057341fff75876bff32241ee9aa10eab293f779ea3e8a1d97577597187bd96251fb499cbb1075a82cf | |
| 6 | Size (mercurial-3.7.2.tar.gz) = 4634748 bytes | 6 | Size (mercurial-3.7.3.tar.gz) = 4636732 bytes | |
| 7 | SHA1 (patch-mercurial_repoview.py) = 7d154dd2186edf5311dfc8902638857a72ba6129 | 7 | SHA1 (patch-mercurial_repoview.py) = 7d154dd2186edf5311dfc8902638857a72ba6129 | |
| 8 | SHA1 (patch-tests_test-commandserver.t) = 12c3092e3e832b414dd4155ffb678b7f0612495d | 8 | SHA1 (patch-tests_test-commandserver.t) = 12c3092e3e832b414dd4155ffb678b7f0612495d |