This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Security update needed for mercurial (upload error: doesn't follow naming convention)

On 20/04/2016 17:56, Jari Aalto wrote:
3.7.3 as a security release, with fixes for:

CVE-2016-3630 Mercurial: remote code execution in binary delta decoding
CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos
CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos

New release uploaded, but I got this message (x64)?


ERROR: tar file 'mercurial-3.7.3.tar.gz' in package 'mercurial' doesn't follow naming convention
ERROR: error while reading uploaded packages for Jari Aalto

Yes, you seem to have uploaded:

mercurial-3.7.3.tar.gz       - upstream tar file
mercurial-3.7.3-1.tar.xz     - cygwin binary package
mercurial-3.7.3-1-src.tar.xz - cygwin source package containing the upstream tar file and build script

The behaviour of upset was to accept mercurial-3.7.3.tar.gz as a binary package file, fortunately of a version preceding 3.7.3-1.

This was never correct, so it's now reported as an error.

I have removed the upstream tar files to allow the upload to proceed.

Problem reports:
Unsubscribe info:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]