From $URL: 0.48.1 bugfix release. Security related changes: - Running "mtn ''" or "mtn ls ''" doesn't cause an internal error anymore. In monotone 0.48 and earlier this behavior could be used to crash a server remotely (but only if it was configured to allow execution of remote commands). Therefore everyone running such a server should update as soon as possible.
Thank you for report, Tim. 0.99 version, that fixes this issue is in the tree. Arch teams, please, stabilize. Tim, please, CC _all_ maintainers to bug reports, or they may stall longer then needed.
Why arches are here? There is no target as far as I can see
Ok ignore me
Do you really want to fast-track stabilize the fresh 0.99 version with that huge changelog in $URL, while there would be a bugfix-minor-release?!? Personally, i'd rather go with the bugfixrelease and wait at least 30 days for 0.99...
Ok, I've reviewed upstream blog and found that 0.99 has some problem on amd64. Although patch is there (and I've applied it in 0.99-r1) I've decided to push 0.48.1 for fast stabilization. Arch teams please STABILIZE =dev-vcs/monotone-0.48.1. TIA.
Tests passed over here, looks good to go on x86.
amd64 done. One test failed but this is a security bug so I choose to proceed
stable x86, thanks Andreas
ppc done; closing as last arch
Peter or Daniel, a quick question on this note: > In monotone 0.48 and earlier this behavior > could be used to crash a server remotely (but only if it was > configured to allow execution of remote commands). Do you know if the capability to run remote commands is enabled by default? Thanks.
Tim, I've contacted upstream and got following answer: (21:47:38) thm: I don't think any distribution packages a mtn server package that has remote stdio enabled.
Great, thanks, Peter. GLSA Vote: No,
Vote: NO. Closing noglsa.