Advisories » MGASA-2016-0138

Updated mercurial packages fix security vulnerabilities

Publication date: 13 Apr 2016
Modification date: 13 Apr 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-3068 , CVE-2016-3069 , CVE-2016-3630

Description

Updated mercurial packages fix security vulnerabilities:

Blake Burkhart discovered that Mercurial allows URLs for Git subrepositories
that could result in arbitrary code execution on clone (CVE-2016-3068).

Blake Burkhart discovered that Mercurial allows arbitrary code execution when
converting Git repositories with specially crafted names (CVE-2016-3069).

It was discovered that Mercurial does not properly perform bounds-checking in
its binary delta decoder, which may be exploitable for remote code execution
via clone, push or pull (CVE-2016-3630).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=18124
• https://www.debian.org/security/2016/dsa-3542
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3068
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3069
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3630

SRPMS

5/core

• mercurial-3.1.1-5.1.mga5