Subject: CVS commit: [pkgsrc-2005Q4] pkgsrc/devel/monotone
To: None <pkgsrc-changes@NetBSD.org>
From: Lubomir Sedlacik <salo@netbsd.org>
List: pkgsrc-changes
Date: 03/15/2006 14:34:10
Module Name: pkgsrc
Committed By: salo
Date: Wed Mar 15 14:34:10 UTC 2006
Modified Files:
pkgsrc/devel/monotone [pkgsrc-2005Q4]: Makefile PLIST distinfo
Log Message:
Pullup ticket 1214 - requested by Julio M. Merino Vidal
security update for monotone
Patch provided by the submitter.
Module Name: pkgsrc
Committed By: jmmv
Date: Thu Mar 9 20:30:16 UTC 2006
Modified Files:
pkgsrc/devel/monotone: Makefile distinfo
Log Message:
Update to 0.25.2:
0.25.2 release. Important security fix for Windows and OS X
users.
With versions of monotone prior to this release, a person with
commit access could commit a malicious file with a name like
"mt/monotonerc". When anybody else then checked out this
revision on a system with a case-folding filesystem --
usually, this means, "on Windows or OS X" -- then their
monotone would run arbitrary Lua code stored in this file.
The _only_ change in this release as compared to 0.25 is that
the existing checks against files in MT are now extended to
check for mt, Mt, and mT.
All users on Windows and OS X, or otherwise checking out
versioned source on a case-insensitive filesystem, are
recommended to upgrade immediately. Binaries used only for
serving, or only on case-insensitive filesystems (i.e., most
Unix users), are not affected.
(0.25.1 was never released in source form. The original
0.25 build for Windows was found to have problems on NT 4, and
0.25.1 was Windows-only rebuild with NT 4 compatible
libraries.)
To generate a diff of this commit:
cvs rdiff -r1.17 -r1.17.2.1 pkgsrc/devel/monotone/Makefile
cvs rdiff -r1.3 -r1.3.2.1 pkgsrc/devel/monotone/PLIST
cvs rdiff -r1.11 -r1.11.2.1 pkgsrc/devel/monotone/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.