Matt Mackall <mpm@selenic.com> [Wed, 16 Mar 2016 17:29:29 -0700] rev 28656
parsers: fix list sizing rounding error (SEC)
CVE-2016-3630 (1/2)
This addresses part of a vulnerability in application of binary
deltas.
Matt Mackall <mpm@selenic.com> [Mon, 28 Mar 2016 17:16:00 -0500] rev 28655
merge with stable
liscju <piotr.listkiewicz@gmail.com> [Mon, 28 Mar 2016 09:12:03 +0200] rev 28654
debugsetparents: remove redundant invocations of begin/endparentchange
Method localrepo.setparents invokes begin/endparentchange internally,
so there is no need to invoke it explicitly in debugsetparents.
Gregory Szorc <gregory.szorc@gmail.com> [Sun, 27 Mar 2016 13:13:19 -0700] rev 28653
sslutil: add docstring to wrapsocket()
Security should not be opaque.
Gregory Szorc <gregory.szorc@gmail.com> [Sun, 27 Mar 2016 11:39:39 -0700] rev 28652
sslutil: remove indentation in wrapsocket declaration
It is no longer needed because we have a single code path.
Gregory Szorc <gregory.szorc@gmail.com> [Sun, 27 Mar 2016 14:18:32 -0700] rev 28651
sslutil: always use SSLContext
Now that we have a fake SSLContext instance, we can unify the code
paths for wrapping sockets to always use the SSLContext APIs.
Because this is security code, I've retained the try..except to
make the diff easier to read. It will be removed in the next patch.
I took the liberty of updating the inline docs about supported
protocols and how the constants work because this stuff is important
and needs to be explicitly documented.
Gregory Szorc <gregory.szorc@gmail.com> [Sun, 27 Mar 2016 14:08:52 -0700] rev 28650
sslutil: move _canloaddefaultcerts logic
We now have a newer block accessing SSLContext. Let's move this
code to make subsequent refactorings of the former block easier.
Gregory Szorc <gregory.szorc@gmail.com> [Sun, 27 Mar 2016 13:50:34 -0700] rev 28649
sslutil: implement SSLContext class
Python <2.7.9 doesn't have a ssl.SSLContext class. In this patch,
we implement the interface to the class so we can have a unified
code path for all supported versions of Python.
This is similar to the approach that urllib3 takes.
Gregory Szorc <gregory.szorc@gmail.com> [Sun, 27 Mar 2016 10:47:24 -0700] rev 28648
sslutil: store OP_NO_SSL* constants in module scope
An upcoming patch will introduce a global SSLContext type so we
have a single function used to wrap sockets. Prepare for that by
introducing module level constants for disabling SSLv2 and SSLv3.
Gregory Szorc <gregory.szorc@gmail.com> [Sun, 27 Mar 2016 14:07:06 -0700] rev 28647
sslutil: better document state of security/ssl module
Pythons older than 2.7.9 are lacking the modern ssl module
and have horrible security. Let's document this explicitly.