Slackware has issued an advisory on April 1: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.527508 The issues are fixed upstream in 3.7.3 (already updated in Cauldron). I don't have any more info about these issues or if they affect 3.1.1.
(In reply to David Walser from comment #0) > I don't have any more info about these issues or if they affect 3.1.1. I'll check with Debian, but for now, Debian did nothing for 3.1.2 https://security-tracker.debian.org/tracker/source-package/mercurial
(In reply to Philippe Makowski from comment #1) > (In reply to David Walser from comment #0) > > I don't have any more info about these issues or if they affect 3.1.1. > > I'll check with Debian, but for now, Debian did nothing for 3.1.2 > https://security-tracker.debian.org/tracker/source-package/mercurial seems that OpenSuse have the patches : https://build.opensuse.org/request/show/384129
(In reply to Philippe Makowski from comment #1) > (In reply to David Walser from comment #0) > > I don't have any more info about these issues or if they affect 3.1.1. > > I'll check with Debian, but for now, Debian did nothing for 3.1.2 > https://security-tracker.debian.org/tracker/source-package/mercurial Debian has now patched 3.1.2: https://www.debian.org/security/2016/dsa-3542 https://lists.debian.org/debian-security-announce/2016/msg00116.html packages.debian.org and sources.debian.net haven't been updated yet though :-/
Several vulnerabilities have been discovered in Mercurial, a distributed version control system. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2016-3068 Blake Burkhart discovered that Mercurial allows URLs for Git subrepositories that could result in arbitrary code execution on clone. CVE-2016-3069 Blake Burkhart discovered that Mercurial allows arbitrary code execution when converting Git repositories with specially crafted names. CVE-2016-3630 It was discovered that Mercurial does not properly perform bounds- checking in its binary delta decoder, which may be exploitable for remote code execution via clone, push or pull. Updated packages : mercurial-3.1.1-5.1.mga5.i586 mercurial-3.1.1-5.1.mga5.x86_64 from : mercurial-3.1.1-5.1.mga5.src Refs : https://bugs.mageia.org/show_bug.cgi?id=18124 https://www.debian.org/security/2016/dsa-3542 https://lists.debian.org/debian-security-announce/2016/msg00116.html http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.527508 http://lwn.net/Vulnerabilities/682389/
Assignee: makowski.mageia => security
Thanks Philippe! Advisory: ======================== Updated mercurial packages fix security vulnerabilities: Blake Burkhart discovered that Mercurial allows URLs for Git subrepositories that could result in arbitrary code execution on clone (CVE-2016-3068). Blake Burkhart discovered that Mercurial allows arbitrary code execution when converting Git repositories with specially crafted names (CVE-2016-3069). It was discovered that Mercurial does not properly perform bounds-checking in its binary delta decoder, which may be exploitable for remote code execution via clone, push or pull (CVE-2016-3630). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3068 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3069 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3630 https://www.debian.org/security/2016/dsa-3542
CC: (none) => makowski.mageiaVersion: Cauldron => 5Assignee: security => qa-bugs
MGA5-32 on Acer D620 Xfce No installation issues. Tested as per bug 15590 Comment 4 , all works well.
CC: (none) => herman.viaeneWhiteboard: (none) => has_procedure MGA5-32-OK
Well done Herman. Validating. Advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure advisory MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0138.html
Status: NEW => RESOLVEDResolution: (none) => FIXED