Ubuntu
mercurial package

mercurial 3.7.3-1ubuntu1.1 source package in Ubuntu

Changelog

mercurial (3.7.3-1ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: The convert extension might allow attackers to
    execute arbitrary code via a crafted git repository name.
    - debian/patches/CVE-2016-3105.patch: Pass absolute paths to git.
    - CVE-2016-3105
  * SECURITY UPDATE: hg server --stdio allows remote authenticated users
    to launch the Python debugger and execute arbitrary code.
    - debian/patches/CVE-2017-9462.patch: Protect against malicious hg
      serve --stdio invocations.
    - CVE-2017-9462
  * SECURITY UPDATE: A specially malformed repository can cause GIT
    subrepositories to run arbitrary code.
    - debian/patches/CVE-2017-17458_part1.patch: add test-audit-subrepo.t
      testcase.
    - debian/patches/CVE-2017-17458_part2.patch: disallow symlink
      traversal across subrepo mount point.
    - CVE-2017-17458
  * SECURITY UPDATE: Missing symlink check could be abused to write to files
    outside the repository.
    - debian/patches/CVE-2017-1000115.patch: Fix symlink traversal.
    - CVE-2017-1000115
  * SECURITY UPDATE: Possible shell-injection attack from not adequately
    sanitizing hostnames passed to ssh.
    - debian/patches/CVE-2017-1000116.patch: Sanitize hostnames passed to ssh.
    - CVE-2017-1000116
  * SECURITY UPDATE: Integer underflow and overflow.
    - debian/patches/CVE-2018-13347.patch: Protect against underflow.
    - debian/patches/CVE-2018-13347-extras.patch: Protect against overflow.
    - CVE-2018-13347
  * SECURITY UPDATE: Able to start fragment past of the end of original data.
    - debian/patches/CVE-2018-13346.patch: Ensure fragment start is not past
      then end of orig.
    - CVE-2018-13346
  * SECURITY UPDATE: Data mishandling in certain situations.
    - debian/patches/CVE-2018-13348.patch: Be more careful about parsing
      binary patch data.
    - CVE-2018-13348
  * SECURITY UPDATE: Vulnerability in Protocol server can result in
    unauthorized data access.
    - debian/patches/CVE-2018-1000132.patch: Always perform permissions
      checks on protocol commands.
    - CVE-2018-1000132

 -- Eduardo Barretto <email address hidden>  Tue, 13 Nov 2018 16:10:13 -0200

Upload details

Uploaded by:
Eduardo Barretto
Uploaded to:
Xenial
Original maintainer:
Ubuntu Developers
Architectures:
any all
Section:
vcs
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section

Downloads

File Size SHA-256 Checksum
mercurial_3.7.3.orig.tar.gz 4.4 MiB c099c42d74e2d520b61dd372cd996b0fa7605c06617834fd7b13c79b9a9a5b30
mercurial_3.7.3-1ubuntu1.1.debian.tar.xz 63.5 KiB a8a6dd672b0f9f0f82a1a89d23e7aae8146fa4afddbde721d77887003af8e932
mercurial_3.7.3-1ubuntu1.1.dsc 2.3 KiB 885ed4600fea0f24f30ae9d6ded6d73ea08416875295165cbb965a5c6325840a

View changes file

Binary packages built by this source

mercurial: easy-to-use, scalable distributed version control system

 Mercurial is a fast, lightweight Source Control Management system designed
 for efficient handling of very large distributed projects.
 .
 Its features include:
  * O(1) delta-compressed file storage and retrieval scheme
  * Complete cross-indexing of files and changesets for efficient exploration
    of project history
  * Robust SHA1-based integrity checking and append-only storage model
  * Decentralized development model with arbitrary merging between trees
  * High-speed HTTP-based network merge protocol
  * Easy-to-use command-line interface
  * Integrated stand-alone web interface
  * Small Python codebase
 .
 This package contains the architecture dependent files.

mercurial-common: easy-to-use, scalable distributed version control system (common files)

 Mercurial is a fast, lightweight Source Control Management system designed
 for efficient handling of very large distributed projects.
 .
 This package contains the architecture independent components of Mercurial,
 and is generally useless without the mercurial package.

mercurial-dbgsym: debug symbols for package mercurial

 Mercurial is a fast, lightweight Source Control Management system designed
 for efficient handling of very large distributed projects.
 .
 Its features include:
  * O(1) delta-compressed file storage and retrieval scheme
  * Complete cross-indexing of files and changesets for efficient exploration
    of project history
  * Robust SHA1-based integrity checking and append-only storage model
  * Decentralized development model with arbitrary merging between trees
  * High-speed HTTP-based network merge protocol
  * Easy-to-use command-line interface
  * Integrated stand-alone web interface
  * Small Python codebase
 .
 This package contains the architecture dependent files.