[ubuntu/trusty-updates] mercurial 2.8.2-1ubuntu1.4 (Accepted)

Ubuntu Archive Robot cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Thu Nov 22 21:58:07 UTC 2018

mercurial (2.8.2-1ubuntu1.4) trusty-security; urgency=medium

  * SECURITY UPDATE: Remote attackers can execute arbitrary code via a
    crafted git ext:: URL when cloning a subrepository.
    - debian/patches/CVE-2016-3068.patch: set GIT_ALLOW_PROTOCOL to limit
      git clone protocols.
    - CVE-2016-3068
  * SECURITY UPDATE: Remote attackers can execute arbitrary code via a crafted
    name when converting a Git repository.
    - debian/patches/CVE-2016-3069_part1.patch: add new, non-clowny interface
      for shelling out to git.
    - debian/patches/CVE-2016-3069_part2.patch: rewrite calls to Git to use
      the new shelling mechanism.
    - debian/patches/CVE-2016-3069_part3.patch: dead code removal - old git
      calling functions
    - debian/patches/CVE-2016-3069_part4.patch: test for shell injection in
      git calls
    - CVE-2016-3069
  * SECURITY UPDATE: The convert extension might allow attackers to
    execute arbitrary code via a crafted git repository name.
    - debian/patches/CVE-2016-3105.patch: Pass absolute paths to git.
    - CVE-2016-3105
  * SECURITY UPDATE: Remote attackers can execute arbitrary code via a clone,
    push or pull command because of a list sizing rounding error and short
    - debian/patches/CVE-2016-3630_part1.patch: fix list sizing rounding
    - debian/patches/CVE-2016-3630_part2.patch: detect short records
    - CVE-2016-3630
  * SECURITY UPDATE: hg server --stdio allows remote authenticated users
    to launch the Python debugger and execute arbitrary code.
    - debian/patches/CVE-2017-9462.patch: Protect against malicious hg
      serve --stdio invocations.
    - CVE-2017-9462
  * SECURITY UPDATE: A specially malformed repository can cause GIT
    subrepositories to run arbitrary code.
    - debian/patches/CVE-2017-17458_part1.patch: add test-audit-subrepo.t
    - debian/patches/CVE-2017-17458_part2.patch: disallow symlink
      traversal across subrepo mount point.
    - CVE-2017-17458
  * SECURITY UPDATE: Missing symlink check could be abused to write to files
    outside the repository.
    - debian/patches/CVE-2017-1000115.patch: Fix symlink traversal.
    - CVE-2017-1000115
  * SECURITY UPDATE: Possible shell-injection attack from not adequately
    sanitizing hostnames passed to ssh.
    - debian/patches/CVE-2017-1000116.patch: Sanitize hostnames passed to ssh.
    - CVE-2017-1000116
  * SECURITY UPDATE: Integer underflow and overflow.
    - debian/patches/CVE-2018-13347.patch: Protect against underflow.
    - debian/patches/CVE-2018-13347-extras.patch: Protect against overflow.
    - CVE-2018-13347
  * SECURITY UPDATE: Able to start fragment past of the end of original data.
    - debian/patches/CVE-2018-13346.patch: Ensure fragment start is not past
      then end of orig.
    - CVE-2018-13346
  * SECURITY UPDATE: Data mishandling in certain situations.
    - debian/patches/CVE-2018-13348.patch: Be more careful about parsing
      binary patch data.
    - CVE-2018-13348
  * SECURITY UPDATE: Vulnerability in Protocol server can result in
    unauthorized data access.
    - debian/patches/CVE-2018-1000132.patch: Always perform permissions
      checks on protocol commands.
    - CVE-2018-1000132

Date: 2018-11-22 18:19:46.418758+00:00
Changed-By: Eduardo dos Santos Barretto <eduardo.barretto at canonical.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Trusty-changes mailing list