Important CentOS mercurial Security Update

Metadata

medium
6.8
emacs-mercurial-2.6.2-6.el7_2.x86_64.rpm, emacs-mercurial-el-2.6.2-6.el7_2.x86_64.rpm, mercurial-2.6.2-6.el7_2.src.rpm, mercurial-2.6.2-6.el7_2.x86_64.rpm, mercurial-hgk-2.6.2-6.el7_2.x86_64.rpm
CVE-2016-3068, CVE-2016-3069
rhn.redhat.com, lists.centos.org
2016-05-02
2017-07-27 19:11
ALAS-2016-697
CVE-2016-3069 mercurial
CVE-2016-3068 mercurial
CVE-2016-3068
CVE-2016-3069
2017-04-01 19:09
2017-01-05 20:14

Description


An update for mercurial is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Mercurial is a fast, lightweight source control management system designed for efficient handling of very large distributed projects.

Security Fix(es):

* It was discovered that Mercurial failed to properly check Git sub-repository URLs. A Mercurial repository that includes a Git sub-repository with a specially crafted URL could cause Mercurial to execute arbitrary code. (CVE-2016-3068)

* It was discovered that the Mercurial convert extension failed to sanitize special characters in Git repository names. A Git repository with a specially crafted name could cause Mercurial to execute arbitrary code when the Git repository was converted to a Mercurial repository. (CVE-2016-3069)

Red Hat would like to thank Blake Burkhart for reporting these issues.
Please see https://www.redhat.com/footer/terms-of-use.html

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
7 emacs-mercurial emacs-mercurial-2.6.2-6.el7_2.x86_64.rpm
emacs-mercurial-el emacs-mercurial-el-2.6.2-6.el7_2.x86_64.rpm
mercurial mercurial-2.6.2-6.el7_2.src.rpm
mercurial mercurial-2.6.2-6.el7_2.x86_64.rpm
mercurial-hgk mercurial-hgk-2.6.2-6.el7_2.x86_64.rpm