mercurial 2.8.2-1ubuntu1.4 source package in Ubuntu

Changelog

mercurial (2.8.2-1ubuntu1.4) trusty-security; urgency=medium

  * SECURITY UPDATE: Remote attackers can execute arbitrary code via a
    crafted git ext:: URL when cloning a subrepository.
    - debian/patches/CVE-2016-3068.patch: set GIT_ALLOW_PROTOCOL to limit
      git clone protocols.
    - CVE-2016-3068
  * SECURITY UPDATE: Remote attackers can execute arbitrary code via a crafted
    name when converting a Git repository.
    - debian/patches/CVE-2016-3069_part1.patch: add new, non-clowny interface
      for shelling out to git.
    - debian/patches/CVE-2016-3069_part2.patch: rewrite calls to Git to use
      the new shelling mechanism.
    - debian/patches/CVE-2016-3069_part3.patch: dead code removal - old git
      calling functions
    - debian/patches/CVE-2016-3069_part4.patch: test for shell injection in
      git calls
    - CVE-2016-3069
  * SECURITY UPDATE: The convert extension might allow attackers to
    execute arbitrary code via a crafted git repository name.
    - debian/patches/CVE-2016-3105.patch: Pass absolute paths to git.
    - CVE-2016-3105
  * SECURITY UPDATE: Remote attackers can execute arbitrary code via a clone,
    push or pull command because of a list sizing rounding error and short
    records.
    - debian/patches/CVE-2016-3630_part1.patch: fix list sizing rounding
      error.
    - debian/patches/CVE-2016-3630_part2.patch: detect short records
    - CVE-2016-3630
  * SECURITY UPDATE: hg server --stdio allows remote authenticated users
    to launch the Python debugger and execute arbitrary code.
    - debian/patches/CVE-2017-9462.patch: Protect against malicious hg
      serve --stdio invocations.
    - CVE-2017-9462
  * SECURITY UPDATE: A specially malformed repository can cause GIT
    subrepositories to run arbitrary code.
    - debian/patches/CVE-2017-17458_part1.patch: add test-audit-subrepo.t
      testcase.
    - debian/patches/CVE-2017-17458_part2.patch: disallow symlink
      traversal across subrepo mount point.
    - CVE-2017-17458
  * SECURITY UPDATE: Missing symlink check could be abused to write to files
    outside the repository.
    - debian/patches/CVE-2017-1000115.patch: Fix symlink traversal.
    - CVE-2017-1000115
  * SECURITY UPDATE: Possible shell-injection attack from not adequately
    sanitizing hostnames passed to ssh.
    - debian/patches/CVE-2017-1000116.patch: Sanitize hostnames passed to ssh.
    - CVE-2017-1000116
  * SECURITY UPDATE: Integer underflow and overflow.
    - debian/patches/CVE-2018-13347.patch: Protect against underflow.
    - debian/patches/CVE-2018-13347-extras.patch: Protect against overflow.
    - CVE-2018-13347
  * SECURITY UPDATE: Able to start fragment past of the end of original data.
    - debian/patches/CVE-2018-13346.patch: Ensure fragment start is not past
      then end of orig.
    - CVE-2018-13346
  * SECURITY UPDATE: Data mishandling in certain situations.
    - debian/patches/CVE-2018-13348.patch: Be more careful about parsing
      binary patch data.
    - CVE-2018-13348
  * SECURITY UPDATE: Vulnerability in Protocol server can result in
    unauthorized data access.
    - debian/patches/CVE-2018-1000132.patch: Always perform permissions
      checks on protocol commands.
    - CVE-2018-1000132

 -- Eduardo Barretto <email address hidden>  Fri, 16 Nov 2018 16:16:59 -0200

Upload details

Uploaded by:
Eduardo dos Santos Barretto on 2018-11-22
Uploaded to:
Trusty
Original maintainer:
Ubuntu Developers
Architectures:
any all
Section:
vcs
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section
Trusty updates on 2018-11-22 universe devel
Trusty security on 2018-11-22 universe devel

Downloads

File Size SHA-256 Checksum
mercurial_2.8.2.orig.tar.gz 3.7 MiB c8a5baa21140c6cd6749c3b52b5e5e4a14b6b8ee7c518d9d9de09b1952efbe6f
mercurial_2.8.2-1ubuntu1.4.debian.tar.gz 81.6 KiB 658cb914b693b65216017fcda18944d5d835b7474239a0b0c4c9ceddf8899f45
mercurial_2.8.2-1ubuntu1.4.dsc 2.3 KiB 60b7820c12d720f0423f853c18c4d7226777db1196846ab6583749293128dbbc

View changes file

Binary packages built by this source

mercurial: easy-to-use, scalable distributed version control system

 Mercurial is a fast, lightweight Source Control Management system designed
 for efficient handling of very large distributed projects.
 ..
 Its features include:
  * O(1) delta-compressed file storage and retrieval scheme
  * Complete cross-indexing of files and changesets for efficient exploration
    of project history
  * Robust SHA1-based integrity checking and append-only storage model
  * Decentralized development model with arbitrary merging between trees
  * High-speed HTTP-based network merge protocol
  * Easy-to-use command-line interface
  * Integrated stand-alone web interface
  * Small Python codebase
 .
 This package contains the architecture dependent files.

mercurial-common: easy-to-use, scalable distributed version control system (common files)

 Mercurial is a fast, lightweight Source Control Management system designed
 for efficient handling of very large distributed projects.
 ..
 This package contains the architecture independent components of Mercurial,
 and is generally useless without the mercurial package.

mercurial-dbgsym: debug symbols for package mercurial

 Mercurial is a fast, lightweight Source Control Management system designed
 for efficient handling of very large distributed projects.
 ..
 Its features include:
  * O(1) delta-compressed file storage and retrieval scheme
  * Complete cross-indexing of files and changesets for efficient exploration
    of project history
  * Robust SHA1-based integrity checking and append-only storage model
  * Decentralized development model with arbitrary merging between trees
  * High-speed HTTP-based network merge protocol
  * Easy-to-use command-line interface
  * Integrated stand-alone web interface
  * Small Python codebase
 .
 This package contains the architecture dependent files.