Package "mercurial"
Name: |
mercurial
|
Description: |
easy-to-use, scalable distributed version control system
|
Latest version: |
3.7.3-1ubuntu1.2 |
Release: |
xenial (16.04) |
Level: |
security |
Repository: |
universe |
Homepage: |
https://www.mercurial-scm.org/ |
Links
Download "mercurial"
Other versions of "mercurial" in Xenial
Packages in group
Deleted packages are displayed in grey.
Changelog
mercurial (3.7.3-1ubuntu1.2) xenial-security; urgency=medium
* SECURITY UPDATE: Refresh CVE-2018-13347-extras.patch as it was
missing part of the fix. Also updated CVE-2018-13346.patch and
CVE-2018-13348.patch to correctly reflect the correct lines.
-- Eduardo Barretto <email address hidden> Tue, 27 Nov 2018 11:54:57 -0200
|
Source diff to previous version |
CVE-2018-13347 |
mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002. |
CVE-2018-13346 |
The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the origina |
CVE-2018-13348 |
The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining afte |
|
mercurial (3.7.3-1ubuntu1.1) xenial-security; urgency=medium
* SECURITY UPDATE: The convert extension might allow attackers to
execute arbitrary code via a crafted git repository name.
- debian/patches/CVE-2016-3105.patch: Pass absolute paths to git.
- CVE-2016-3105
* SECURITY UPDATE: hg server --stdio allows remote authenticated users
to launch the Python debugger and execute arbitrary code.
- debian/patches/CVE-2017-9462.patch: Protect against malicious hg
serve --stdio invocations.
- CVE-2017-9462
* SECURITY UPDATE: A specially malformed repository can cause GIT
subrepositories to run arbitrary code.
- debian/patches/CVE-2017-17458_part1.patch: add test-audit-subrepo.t
testcase.
- debian/patches/CVE-2017-17458_part2.patch: disallow symlink
traversal across subrepo mount point.
- CVE-2017-17458
* SECURITY UPDATE: Missing symlink check could be abused to write to files
outside the repository.
- debian/patches/CVE-2017-1000115.patch: Fix symlink traversal.
- CVE-2017-1000115
* SECURITY UPDATE: Possible shell-injection attack from not adequately
sanitizing hostnames passed to ssh.
- debian/patches/CVE-2017-1000116.patch: Sanitize hostnames passed to ssh.
- CVE-2017-1000116
* SECURITY UPDATE: Integer underflow and overflow.
- debian/patches/CVE-2018-13347.patch: Protect against underflow.
- debian/patches/CVE-2018-13347-extras.patch: Protect against overflow.
- CVE-2018-13347
* SECURITY UPDATE: Able to start fragment past of the end of original data.
- debian/patches/CVE-2018-13346.patch: Ensure fragment start is not past
then end of orig.
- CVE-2018-13346
* SECURITY UPDATE: Data mishandling in certain situations.
- debian/patches/CVE-2018-13348.patch: Be more careful about parsing
binary patch data.
- CVE-2018-13348
* SECURITY UPDATE: Vulnerability in Protocol server can result in
unauthorized data access.
- debian/patches/CVE-2018-1000132.patch: Always perform permissions
checks on protocol commands.
- CVE-2018-1000132
-- Eduardo Barretto <email address hidden> Tue, 13 Nov 2018 16:10:13 -0200
|
CVE-2016-3105 |
The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name. |
CVE-2017-9462 |
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary cod |
CVE-2017-17458 |
In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a |
CVE-2017-1000115 |
Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository |
CVE-2017-1000116 |
Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks. |
CVE-2018-13347 |
mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002. |
CVE-2018-13346 |
The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the origina |
CVE-2018-13348 |
The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining afte |
CVE-2018-1000132 |
Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data |
|
About
-
Send Feedback to @ubuntu_updates