mercurial (3.7.3-1ubuntu1.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Refresh CVE-2018-13347-extras.patch as it was
    missing part of the fix. Also updated CVE-2018-13346.patch and
    CVE-2018-13348.patch to correctly reflect the correct lines.

 -- Eduardo Barretto <eduardo.barretto@canonical.com>  Tue, 27 Nov 2018 11:54:57 -0200

mercurial (3.7.3-1ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: The convert extension might allow attackers to
    execute arbitrary code via a crafted git repository name.
    - debian/patches/CVE-2016-3105.patch: Pass absolute paths to git.
    - CVE-2016-3105
  * SECURITY UPDATE: hg server --stdio allows remote authenticated users
    to launch the Python debugger and execute arbitrary code.
    - debian/patches/CVE-2017-9462.patch: Protect against malicious hg
      serve --stdio invocations.
    - CVE-2017-9462
  * SECURITY UPDATE: A specially malformed repository can cause GIT
    subrepositories to run arbitrary code.
    - debian/patches/CVE-2017-17458_part1.patch: add test-audit-subrepo.t
      testcase.
    - debian/patches/CVE-2017-17458_part2.patch: disallow symlink
      traversal across subrepo mount point.
    - CVE-2017-17458
  * SECURITY UPDATE: Missing symlink check could be abused to write to files
    outside the repository.
    - debian/patches/CVE-2017-1000115.patch: Fix symlink traversal.
    - CVE-2017-1000115
  * SECURITY UPDATE: Possible shell-injection attack from not adequately
    sanitizing hostnames passed to ssh.
    - debian/patches/CVE-2017-1000116.patch: Sanitize hostnames passed to ssh.
    - CVE-2017-1000116
  * SECURITY UPDATE: Integer underflow and overflow.
    - debian/patches/CVE-2018-13347.patch: Protect against underflow. 
    - debian/patches/CVE-2018-13347-extras.patch: Protect against overflow.
    - CVE-2018-13347
  * SECURITY UPDATE: Able to start fragment past of the end of original data.
    - debian/patches/CVE-2018-13346.patch: Ensure fragment start is not past
      then end of orig.
    - CVE-2018-13346
  * SECURITY UPDATE: Data mishandling in certain situations.
    - debian/patches/CVE-2018-13348.patch: Be more careful about parsing
      binary patch data.
    - CVE-2018-13348
  * SECURITY UPDATE: Vulnerability in Protocol server can result in
    unauthorized data access.
    - debian/patches/CVE-2018-1000132.patch: Always perform permissions
      checks on protocol commands.
    - CVE-2018-1000132

 -- Eduardo Barretto <eduardo.barretto@canonical.com>  Tue, 13 Nov 2018 16:10:13 -0200

mercurial (3.7.3-1ubuntu1) xenial; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - debian/patches/fix_tz_ftbfs.patch: fix test failure caused by
      timezone parsing oddity with newer glibc.

 -- Gianfranco Costamagna <locutusofborg@debian.org>  Wed, 06 Apr 2016 14:53:10 +0200

mercurial (3.7.3-1) unstable; urgency=medium

  * New security upstream release fixes CVE-2016-3068, CVE-2016-3069
    and CVE-2016-3630.
  * Fix "FTBFS when built with dpkg-buildpackage -A".  Thanks Julien
    Cristau for the patch (Closes: #807021)
  * Avoid allow-stderr in mercurial-git autopkgtest

 -- Javi Merino <vicho@debian.org>  Wed, 30 Mar 2016 08:20:07 +0100

mercurial (3.7.2-2) unstable; urgency=medium

  * Don't run test-clonebundle.t when building.  Reproducible builds don't
    setup name resolution (Closes: #809770)

 -- Javi Merino <vicho@debian.org>  Sat, 05 Mar 2016 12:08:37 +0000

mercurial (3.7.2-1) unstable; urgency=medium

  * New upstream release
  * Blacklist test-parse-date.t .  It fails on some of the chroots of
    some architectures
  * Bump standards-version to 3.9.6 (no change needed)
  * Use https for vcs-browser.  Thanks lintian
  * Update homepage

 -- Javi Merino <vicho@debian.org>  Wed, 02 Mar 2016 22:28:36 +0000

mercurial (3.7.1-1) unstable; urgency=medium

  * New upstream release
  * Fix "mercurial-git autopkgtest fails because of stderr" by allowing
    the test to output to stderr (Closes: #808376)
  * Allow the hgsubversion test to output to stderr

 -- Javi Merino <vicho@debian.org>  Thu, 11 Feb 2016 22:43:27 +0000

mercurial (3.6.2-1ubuntu2) xenial; urgency=medium

  * debian/tests/mercurial-git: Redirect stderr of git clone and git push
    to stdout, to fix failure.

 -- Dmitry Shachnev <mitya57@ubuntu.com>  Thu, 17 Dec 2015 10:40:57 +0300

mercurial (3.6.2-1ubuntu1) xenial; urgency=medium

  * Merge with Debian unstable, remaining change:
    - debian/patches/fix_tz_ftbfs.patch: fix test failure caused by
      timezone parsing oddity with newer glibc.

 -- Dmitry Shachnev <mitya57@ubuntu.com>  Wed, 16 Dec 2015 18:49:21 +0300

mercurial (3.6.2-1) unstable; urgency=medium

  * New upstream release
  * Improve autopkgtest for mercurial-git to test pushing commits from the
    mercurial clone to git
  * Update breaks of hgsubversion.  hgsubversion 1.8.3-2 works with
    mercurial 3.6

 -- Javi Merino <vicho@debian.org>  Fri, 04 Dec 2015 07:37:49 +0000

# For older changelog entries, run 'apt-get changelog mercurial-common'