Package "mercurial"
| Name: |
mercurial
|
Description: |
easy-to-use, scalable distributed version control system
|
| Latest version: |
2.8.2-1ubuntu1.4 |
| Release: |
trusty (14.04) |
| Level: |
security |
| Repository: |
universe |
| Homepage: |
http://mercurial.selenic.com/ |
Links
Download "mercurial"
Other versions of "mercurial" in Trusty
Packages in group
Deleted packages are displayed in grey.
Changelog
|
mercurial (2.8.2-1ubuntu1.4) trusty-security; urgency=medium
* SECURITY UPDATE: Remote attackers can execute arbitrary code via a
crafted git ext:: URL when cloning a subrepository.
- debian/patches/CVE-2016-3068.patch: set GIT_ALLOW_PROTOCOL to limit
git clone protocols.
- CVE-2016-3068
* SECURITY UPDATE: Remote attackers can execute arbitrary code via a crafted
name when converting a Git repository.
- debian/patches/CVE-2016-3069_part1.patch: add new, non-clowny interface
for shelling out to git.
- debian/patches/CVE-2016-3069_part2.patch: rewrite calls to Git to use
the new shelling mechanism.
- debian/patches/CVE-2016-3069_part3.patch: dead code removal - old git
calling functions
- debian/patches/CVE-2016-3069_part4.patch: test for shell injection in
git calls
- CVE-2016-3069
* SECURITY UPDATE: The convert extension might allow attackers to
execute arbitrary code via a crafted git repository name.
- debian/patches/CVE-2016-3105.patch: Pass absolute paths to git.
- CVE-2016-3105
* SECURITY UPDATE: Remote attackers can execute arbitrary code via a clone,
push or pull command because of a list sizing rounding error and short
records.
- debian/patches/CVE-2016-3630_part1.patch: fix list sizing rounding
error.
- debian/patches/CVE-2016-3630_part2.patch: detect short records
- CVE-2016-3630
* SECURITY UPDATE: hg server --stdio allows remote authenticated users
to launch the Python debugger and execute arbitrary code.
- debian/patches/CVE-2017-9462.patch: Protect against malicious hg
serve --stdio invocations.
- CVE-2017-9462
* SECURITY UPDATE: A specially malformed repository can cause GIT
subrepositories to run arbitrary code.
- debian/patches/CVE-2017-17458_part1.patch: add test-audit-subrepo.t
testcase.
- debian/patches/CVE-2017-17458_part2.patch: disallow symlink
traversal across subrepo mount point.
- CVE-2017-17458
* SECURITY UPDATE: Missing symlink check could be abused to write to files
outside the repository.
- debian/patches/CVE-2017-1000115.patch: Fix symlink traversal.
- CVE-2017-1000115
* SECURITY UPDATE: Possible shell-injection attack from not adequately
sanitizing hostnames passed to ssh.
- debian/patches/CVE-2017-1000116.patch: Sanitize hostnames passed to ssh.
- CVE-2017-1000116
* SECURITY UPDATE: Integer underflow and overflow.
- debian/patches/CVE-2018-13347.patch: Protect against underflow.
- debian/patches/CVE-2018-13347-extras.patch: Protect against overflow.
- CVE-2018-13347
* SECURITY UPDATE: Able to start fragment past of the end of original data.
- debian/patches/CVE-2018-13346.patch: Ensure fragment start is not past
then end of orig.
- CVE-2018-13346
* SECURITY UPDATE: Data mishandling in certain situations.
- debian/patches/CVE-2018-13348.patch: Be more careful about parsing
binary patch data.
- CVE-2018-13348
* SECURITY UPDATE: Vulnerability in Protocol server can result in
unauthorized data access.
- debian/patches/CVE-2018-1000132.patch: Always perform permissions
checks on protocol commands.
- CVE-2018-1000132
-- Eduardo Barretto <email address hidden> Fri, 16 Nov 2018 16:16:59 -0200
|
| Source diff to previous version |
| CVE-2016-3068 |
arbitrary code execution with Git subrepos |
| CVE-2016-3069 |
arbitrary code execution when converting Git repos |
| CVE-2016-3105 |
The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name. |
| CVE-2016-3630 |
remote code execution in binary delta decoding |
| CVE-2017-9462 |
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary cod |
| CVE-2017-17458 |
In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a |
| CVE-2017-1000115 |
Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository |
| CVE-2017-1000116 |
Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks. |
| CVE-2018-13347 |
mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002. |
| CVE-2018-13346 |
The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the origina |
| CVE-2018-13348 |
The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining afte |
| CVE-2018-1000132 |
Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data |
|
|
mercurial (2.8.2-1ubuntu1.3) trusty-security; urgency=medium
[ Jamie Strandboge ]
* SECURITY UPDATE: fix for improperly handling case-insensitive paths on
Windows and OS X clients
- http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3
- http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e
- http://selenic.com/repo/hg-stable/rev/6dad422ecc5a
- CVE-2014-9390
- LP: #1404035
[ Marc Deslauriers ]
* SECURITY UPDATE: arbitrary command exection via crafted repository
name in a clone command
- d/p/from_upstream__sshpeer_more_thorough_shell_quoting.patch: add
more thorough shell quoting to mercurial/sshpeer.py.
- CVE-2014-9462
* debian/patches/fix_ftbfs_patchbomb_test.patch: fix patchbomb test.
-- Marc Deslauriers <email address hidden> Wed, 17 Jun 2015 10:51:42 -0400
|
| CVE-2014-9390 |
arbitrary command execution vulnerability on case-insensitive file systems |
| CVE-2014-9462 |
The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands via a crafted repository name i |
|
About
-
Send Feedback to @ubuntu_updates
