mercurial 2.8.2-1ubuntu1.4 source package in Ubuntu
Changelog
mercurial (2.8.2-1ubuntu1.4) trusty-security; urgency=medium
* SECURITY UPDATE: Remote attackers can execute arbitrary code via a
crafted git ext:: URL when cloning a subrepository.
- debian/patches/CVE-2016-3068.patch: set GIT_ALLOW_PROTOCOL to limit
git clone protocols.
- CVE-2016-3068
* SECURITY UPDATE: Remote attackers can execute arbitrary code via a crafted
name when converting a Git repository.
- debian/patches/CVE-2016-3069_part1.patch: add new, non-clowny interface
for shelling out to git.
- debian/patches/CVE-2016-3069_part2.patch: rewrite calls to Git to use
the new shelling mechanism.
- debian/patches/CVE-2016-3069_part3.patch: dead code removal - old git
calling functions
- debian/patches/CVE-2016-3069_part4.patch: test for shell injection in
git calls
- CVE-2016-3069
* SECURITY UPDATE: The convert extension might allow attackers to
execute arbitrary code via a crafted git repository name.
- debian/patches/CVE-2016-3105.patch: Pass absolute paths to git.
- CVE-2016-3105
* SECURITY UPDATE: Remote attackers can execute arbitrary code via a clone,
push or pull command because of a list sizing rounding error and short
records.
- debian/patches/CVE-2016-3630_part1.patch: fix list sizing rounding
error.
- debian/patches/CVE-2016-3630_part2.patch: detect short records
- CVE-2016-3630
* SECURITY UPDATE: hg server --stdio allows remote authenticated users
to launch the Python debugger and execute arbitrary code.
- debian/patches/CVE-2017-9462.patch: Protect against malicious hg
serve --stdio invocations.
- CVE-2017-9462
* SECURITY UPDATE: A specially malformed repository can cause GIT
subrepositories to run arbitrary code.
- debian/patches/CVE-2017-17458_part1.patch: add test-audit-subrepo.t
testcase.
- debian/patches/CVE-2017-17458_part2.patch: disallow symlink
traversal across subrepo mount point.
- CVE-2017-17458
* SECURITY UPDATE: Missing symlink check could be abused to write to files
outside the repository.
- debian/patches/CVE-2017-1000115.patch: Fix symlink traversal.
- CVE-2017-1000115
* SECURITY UPDATE: Possible shell-injection attack from not adequately
sanitizing hostnames passed to ssh.
- debian/patches/CVE-2017-1000116.patch: Sanitize hostnames passed to ssh.
- CVE-2017-1000116
* SECURITY UPDATE: Integer underflow and overflow.
- debian/patches/CVE-2018-13347.patch: Protect against underflow.
- debian/patches/CVE-2018-13347-extras.patch: Protect against overflow.
- CVE-2018-13347
* SECURITY UPDATE: Able to start fragment past of the end of original data.
- debian/patches/CVE-2018-13346.patch: Ensure fragment start is not past
then end of orig.
- CVE-2018-13346
* SECURITY UPDATE: Data mishandling in certain situations.
- debian/patches/CVE-2018-13348.patch: Be more careful about parsing
binary patch data.
- CVE-2018-13348
* SECURITY UPDATE: Vulnerability in Protocol server can result in
unauthorized data access.
- debian/patches/CVE-2018-1000132.patch: Always perform permissions
checks on protocol commands.
- CVE-2018-1000132
-- Eduardo Barretto <email address hidden> Fri, 16 Nov 2018 16:16:59 -0200
Upload details
- Uploaded by:
- Eduardo Barretto
- Uploaded to:
- Trusty
- Original maintainer:
- Ubuntu Developers
- Architectures:
- any all
- Section:
- vcs
- Urgency:
- Medium Urgency
See full publishing history Publishing
| Series | Published | Component | Section | |
|---|---|---|---|---|
| Trusty | updates | universe | devel | |
| Trusty | security | universe | devel |
Downloads
| File | Size | SHA-256 Checksum |
|---|---|---|
| mercurial_2.8.2.orig.tar.gz | 3.7 MiB | c8a5baa21140c6cd6749c3b52b5e5e4a14b6b8ee7c518d9d9de09b1952efbe6f |
| mercurial_2.8.2-1ubuntu1.4.debian.tar.gz | 81.6 KiB | 658cb914b693b65216017fcda18944d5d835b7474239a0b0c4c9ceddf8899f45 |
| mercurial_2.8.2-1ubuntu1.4.dsc | 2.3 KiB | 60b7820c12d720f0423f853c18c4d7226777db1196846ab6583749293128dbbc |
Available diffs
Binary packages built by this source
- mercurial: easy-to-use, scalable distributed version control system
Mercurial is a fast, lightweight Source Control Management system designed
for efficient handling of very large distributed projects.
..
Its features include:
* O(1) delta-compressed file storage and retrieval scheme
* Complete cross-indexing of files and changesets for efficient exploration
of project history
* Robust SHA1-based integrity checking and append-only storage model
* Decentralized development model with arbitrary merging between trees
* High-speed HTTP-based network merge protocol
* Easy-to-use command-line interface
* Integrated stand-alone web interface
* Small Python codebase
.
This package contains the architecture dependent files.
- mercurial-common: easy-to-use, scalable distributed version control system (common files)
Mercurial is a fast, lightweight Source Control Management system designed
for efficient handling of very large distributed projects.
..
This package contains the architecture independent components of Mercurial,
and is generally useless without the mercurial package.
- mercurial-dbgsym: debug symbols for package mercurial
Mercurial is a fast, lightweight Source Control Management system designed
for efficient handling of very large distributed projects.
..
Its features include:
* O(1) delta-compressed file storage and retrieval scheme
* Complete cross-indexing of files and changesets for efficient exploration
of project history
* Robust SHA1-based integrity checking and append-only storage model
* Decentralized development model with arbitrary merging between trees
* High-speed HTTP-based network merge protocol
* Easy-to-use command-line interface
* Integrated stand-alone web interface
* Small Python codebase
.
This package contains the architecture dependent files.
