Advisories » MGASA-2016-0172

Updated mercurial packages fix security vulnerability

Publication date: 12 May 2016
Modification date: 12 May 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-3105

Description

This update fixes possible arbitrary code execution when converting Git
repos. Mercurial prior to 3.8 allowed arbitrary code execution when using
the convert extension on Git repos with hostile names. This could affect
automated code conversion services that allow arbitrary repository names.
This is a further side-effect of Git CVE-2015-7545. Reported and fixed by
Blake Burkhart.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=18363
• https://access.redhat.com/security/cve/CVE-2016-3105
• https://selenic.com/hg/rev/a56296f55a5e
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3105

SRPMS

5/core

• mercurial-3.1.1-5.2.mga5