← Back to team overview

group.of.nepali.translators team mailing list archive

  1. group.of.nepali.translators team
  2. Mailing list archive
  3. Message #25017

[Bug 1759366] Re: Multiple Mercurial CVEs have been announced

  Thread PreviousDate PreviousThread Next 
** No longer affects: mercurial (Ubuntu Artful)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1759366

Title:
  Multiple Mercurial CVEs have been announced

Status in mercurial package in Ubuntu:
  Fix Released
Status in mercurial source package in Trusty:
  Confirmed
Status in mercurial source package in Xenial:
  Confirmed

Bug description:
  There are multiple CVEs in Mercurial that should be fixed through a
  security update. Here's the releases that I believe need patching and
  the releases which I believe are affected:

   * CVE-2016-3068: Mercurial before 3.7.3 allows remote attackers to execute arbitrary code
  via a crafted git ext:: URL when cloning a subrepository.
     - Trusty
   * CVE-2016-3069: Mercurial before 3.7.3 allows remote attackers to execute arbitrary code
  via a crafted name when converting a Git repository.
     - Trusty
   * CVE-2016-3105: The convert extension in Mercurial before 3.8 might allow context-dependent
  attackers to execute arbitrary code via a crafted git repository name.
     - Trusty
     - Xenial
   * CVE-2016-3630: The binary delta decoder in Mercurial before 3.7.3 allows remote attackers
  to execute arbitrary code via a (1) clone, (2) push, or (3) pull command,
  related to (a) a list sizing rounding error and (b) short records.
     - Trusty
   * CVE-2017-17458: In Mercurial before 4.4.1, it is possible that a specially malformed
  repository can cause Git subrepositories to run arbitrary code in the form
  of a .git/hooks/post-update script checked into the repository. Typical use
  of Mercurial prevents construction of such repositories, but they can be
  created programmatically.
     - Trusty
     - Xenial
     - Artful
   * CVE-2018-1000132: Mercurial version 4.5 and earlier contains a Incorrect Access Control
  (CWE-285) vulnerability in Protocol server that can result in Unauthorized
  data access. This attack appear to be exploitable via network connectivity.
  This vulnerability appears to have been fixed in 4.5.1.
     - Trusty
     - Xenial
     - Artful

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mercurial/+bug/1759366/+subscriptions

References

  Thread PreviousDate PreviousThread Next