Format: 1.8 Date: Fri, 16 Nov 2018 16:16:59 -0200 Source: mercurial Binary: mercurial-common mercurial Architecture: ppc64el Version: 2.8.2-1ubuntu1.4 Distribution: trusty Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Eduardo Barretto Description: mercurial - easy-to-use, scalable distributed version control system mercurial-common - easy-to-use, scalable distributed version control system (common Changes: mercurial (2.8.2-1ubuntu1.4) trusty-security; urgency=medium . * SECURITY UPDATE: Remote attackers can execute arbitrary code via a crafted git ext:: URL when cloning a subrepository. - debian/patches/CVE-2016-3068.patch: set GIT_ALLOW_PROTOCOL to limit git clone protocols. - CVE-2016-3068 * SECURITY UPDATE: Remote attackers can execute arbitrary code via a crafted name when converting a Git repository. - debian/patches/CVE-2016-3069_part1.patch: add new, non-clowny interface for shelling out to git. - debian/patches/CVE-2016-3069_part2.patch: rewrite calls to Git to use the new shelling mechanism. - debian/patches/CVE-2016-3069_part3.patch: dead code removal - old git calling functions - debian/patches/CVE-2016-3069_part4.patch: test for shell injection in git calls - CVE-2016-3069 * SECURITY UPDATE: The convert extension might allow attackers to execute arbitrary code via a crafted git repository name. - debian/patches/CVE-2016-3105.patch: Pass absolute paths to git. - CVE-2016-3105 * SECURITY UPDATE: Remote attackers can execute arbitrary code via a clone, push or pull command because of a list sizing rounding error and short records. - debian/patches/CVE-2016-3630_part1.patch: fix list sizing rounding error. - debian/patches/CVE-2016-3630_part2.patch: detect short records - CVE-2016-3630 * SECURITY UPDATE: hg server --stdio allows remote authenticated users to launch the Python debugger and execute arbitrary code. - debian/patches/CVE-2017-9462.patch: Protect against malicious hg serve --stdio invocations. - CVE-2017-9462 * SECURITY UPDATE: A specially malformed repository can cause GIT subrepositories to run arbitrary code. - debian/patches/CVE-2017-17458_part1.patch: add test-audit-subrepo.t testcase. - debian/patches/CVE-2017-17458_part2.patch: disallow symlink traversal across subrepo mount point. - CVE-2017-17458 * SECURITY UPDATE: Missing symlink check could be abused to write to files outside the repository. - debian/patches/CVE-2017-1000115.patch: Fix symlink traversal. - CVE-2017-1000115 * SECURITY UPDATE: Possible shell-injection attack from not adequately sanitizing hostnames passed to ssh. - debian/patches/CVE-2017-1000116.patch: Sanitize hostnames passed to ssh. - CVE-2017-1000116 * SECURITY UPDATE: Integer underflow and overflow. - debian/patches/CVE-2018-13347.patch: Protect against underflow. - debian/patches/CVE-2018-13347-extras.patch: Protect against overflow. - CVE-2018-13347 * SECURITY UPDATE: Able to start fragment past of the end of original data. - debian/patches/CVE-2018-13346.patch: Ensure fragment start is not past then end of orig. - CVE-2018-13346 * SECURITY UPDATE: Data mishandling in certain situations. - debian/patches/CVE-2018-13348.patch: Be more careful about parsing binary patch data. - CVE-2018-13348 * SECURITY UPDATE: Vulnerability in Protocol server can result in unauthorized data access. - debian/patches/CVE-2018-1000132.patch: Always perform permissions checks on protocol commands. - CVE-2018-1000132 Checksums-Sha1: e369d2376d0a59f4703fe130d352d02be6dda497 44456 mercurial_2.8.2-1ubuntu1.4_ppc64el.deb dd4ac8c8d54759ec0805c79ffc8beafce924fff1 89278 mercurial-dbgsym_2.8.2-1ubuntu1.4_ppc64el.ddeb Checksums-Sha256: e79f81eb80b70079df5adc9da603b819bb449d407e1a23fcb62a8996d6325a26 44456 mercurial_2.8.2-1ubuntu1.4_ppc64el.deb 30cdfe9800a4ec94980ea73ca538ded17509781e9d89f0e0321dba0306dc30e9 89278 mercurial-dbgsym_2.8.2-1ubuntu1.4_ppc64el.ddeb Files: 55f24e366b9059a1d60caa039be8baa0 44456 vcs optional mercurial_2.8.2-1ubuntu1.4_ppc64el.deb 58ad0d914a92c1c52f4fc433df401e9a 89278 vcs extra mercurial-dbgsym_2.8.2-1ubuntu1.4_ppc64el.ddeb Original-Maintainer: Python Applications Packaging Team