*** This bug is a security vulnerability ***
Public security bug reported:
There are multiple CVEs in Mercurial that should be fixed through a
security update. Here's the releases that I believe need patching and
the releases which I believe are affected:
* CVE-2016-3068: Mercurial before 3.7.3 allows remote attackers to execute
arbitrary code
via a crafted git ext:: URL when cloning a subrepository.
- Trusty
* CVE-2016-3069: Mercurial before 3.7.3 allows remote attackers to execute
arbitrary code
via a crafted name when converting a Git repository.
- Trusty
* CVE-2016-3105: The convert extension in Mercurial before 3.8 might allow
context-dependent
attackers to execute arbitrary code via a crafted git repository name.
- Trusty
- Xenial
* CVE-2016-3630: The binary delta decoder in Mercurial before 3.7.3 allows
remote attackers
to execute arbitrary code via a (1) clone, (2) push, or (3) pull command,
related to (a) a list sizing rounding error and (b) short records.
- Trusty
* CVE-2017-17458: In Mercurial before 4.4.1, it is possible that a specially
malformed
repository can cause Git subrepositories to run arbitrary code in the form
of a .git/hooks/post-update script checked into the repository. Typical use
of Mercurial prevents construction of such repositories, but they can be
created programmatically.
- Trusty
- Xenial
- Artful
* CVE-2018-1000132: Mercurial version 4.5 and earlier contains a Incorrect
Access Control
(CWE-285) vulnerability in Protocol server that can result in Unauthorized
data access. This attack appear to be exploitable via network connectivity.
This vulnerability appears to have been fixed in 4.5.1.
- Trusty
- Xenial
- Artful
** Affects: mercurial (Ubuntu)
Importance: High
Status: Fix Released
** Affects: mercurial (Ubuntu Trusty)
Importance: High
Assignee: Simon Quigley (tsimonq2)
Status: Confirmed
** Affects: mercurial (Ubuntu Xenial)
Importance: High
Assignee: Simon Quigley (tsimonq2)
Status: Confirmed
** Affects: mercurial (Ubuntu Artful)
Importance: High
Assignee: Simon Quigley (tsimonq2)
Status: Confirmed
** Also affects: mercurial (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: mercurial (Ubuntu Artful)
Importance: Undecided
Status: New
** Also affects: mercurial (Ubuntu Trusty)
Importance: Undecided
Status: New
** Changed in: mercurial (Ubuntu)
Importance: Undecided => High
** Changed in: mercurial (Ubuntu Trusty)
Importance: Undecided => Critical
** Changed in: mercurial (Ubuntu Trusty)
Importance: Critical => High
** Changed in: mercurial (Ubuntu Xenial)
Importance: Undecided => High
** Changed in: mercurial (Ubuntu Artful)
Importance: Undecided => High
** Changed in: mercurial (Ubuntu Trusty)
Assignee: (unassigned) => Simon Quigley (tsimonq2)
** Changed in: mercurial (Ubuntu Xenial)
Assignee: (unassigned) => Simon Quigley (tsimonq2)
** Changed in: mercurial (Ubuntu Artful)
Assignee: (unassigned) => Simon Quigley (tsimonq2)
** Changed in: mercurial (Ubuntu Trusty)
Status: New => Won't Fix
** Changed in: mercurial (Ubuntu Xenial)
Status: New => Confirmed
** Changed in: mercurial (Ubuntu Artful)
Status: New => Confirmed
** Changed in: mercurial (Ubuntu Trusty)
Status: Won't Fix => Confirmed
** Changed in: mercurial (Ubuntu)
Status: New => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3068
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3069
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3105
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3630
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17458
** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2018-1000132
** Summary changed:
- Multiple mercurial CVEs have been announced
+ Multiple Mercurial CVEs have been announced
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1759366
Title:
Multiple Mercurial CVEs have been announced
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mercurial/+bug/1759366/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
