[Group.of.nepali.translators] [Bug 1759366] Re: Multiple Mercurial CVEs have been announced

Wed, 18 Jul 2018 22:51:33 -0700 

** No longer affects: mercurial (Ubuntu Artful)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1759366

Title:
  Multiple Mercurial CVEs have been announced

Status in mercurial package in Ubuntu:
  Fix Released
Status in mercurial source package in Trusty:
  Confirmed
Status in mercurial source package in Xenial:
  Confirmed

Bug description:
  There are multiple CVEs in Mercurial that should be fixed through a
  security update. Here's the releases that I believe need patching and
  the releases which I believe are affected:

   * CVE-2016-3068: Mercurial before 3.7.3 allows remote attackers to execute 
arbitrary code
  via a crafted git ext:: URL when cloning a subrepository.
     - Trusty
   * CVE-2016-3069: Mercurial before 3.7.3 allows remote attackers to execute 
arbitrary code
  via a crafted name when converting a Git repository.
     - Trusty
   * CVE-2016-3105: The convert extension in Mercurial before 3.8 might allow 
context-dependent
  attackers to execute arbitrary code via a crafted git repository name.
     - Trusty
     - Xenial
   * CVE-2016-3630: The binary delta decoder in Mercurial before 3.7.3 allows 
remote attackers
  to execute arbitrary code via a (1) clone, (2) push, or (3) pull command,
  related to (a) a list sizing rounding error and (b) short records.
     - Trusty
   * CVE-2017-17458: In Mercurial before 4.4.1, it is possible that a specially 
malformed
  repository can cause Git subrepositories to run arbitrary code in the form
  of a .git/hooks/post-update script checked into the repository. Typical use
  of Mercurial prevents construction of such repositories, but they can be
  created programmatically.
     - Trusty
     - Xenial
     - Artful
   * CVE-2018-1000132: Mercurial version 4.5 and earlier contains a Incorrect 
Access Control
  (CWE-285) vulnerability in Protocol server that can result in Unauthorized
  data access. This attack appear to be exploitable via network connectivity.
  This vulnerability appears to have been fixed in 4.5.1.
     - Trusty
     - Xenial
     - Artful

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mercurial/+bug/1759366/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

Reply via email to