Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#48821 - [mercurial] remote code execution in mercurial <= 3.7.2
Attached to Project:
Arch Linux
Opened by Remi Gacogne (rgacogne) - Tuesday, 05 April 2016, 22:17 GMT
Last edited by Antonio Rojas (arojas) - Wednesday, 06 April 2016, 06:23 GMT
Opened by Remi Gacogne (rgacogne) - Tuesday, 05 April 2016, 22:17 GMT
Last edited by Antonio Rojas (arojas) - Wednesday, 06 April 2016, 06:23 GMT
|
DetailsHello,
Mercurial 3.7.3 has been released[1], fixing several security issues allowing remote code execution: * CVE-2016-3630 Mercurial: remote code execution in binary delta decoding Mercurial prior to 3.7.3 contained two bounds-checking errors in its binary delta decoder that may be exploitable via clone, push, or pull. * CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos Mercurial prior to 3.7.3 allowed URLs for Git subrepos that could result in arbitrary code execution on clone. This is a further side-effect of Git CVE-2015-7545. Reported by Blake Burkhart. * CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos Mercurial prior to 3.7.3 allowed arbitrary code execution when converting Git repos with hostile names. This could affect automated conversion services. Reported by Blake Burkhart. [1]: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29 |
This task depends upon