Headline
CVE-2016-3630: [security-announce] openSUSE-SU-2016:1016-1: important: Security update for mercurial - openSUSE Security Announce
The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records.
openSUSE Security Update: Security update for mercurial ______________________________________________________________________________
Announcement ID: openSUSE-SU-2016:1016-1 Rating: important References: #973175 #973176 #973177 Cross-References: CVE-2016-3068 CVE-2016-3069 CVE-2016-3630
Affected Products: openSUSE 13.2 ______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
mercurial was updated to fix three security issues.
These security issues were fixed: - CVE-2016-3069: Arbitrary code execution when converting Git repos (bsc#973176). - CVE-2016-3068: Arbitrary code execution with Git subrepos (bsc#973177). - CVE-2016-3630: Remote code execution in binary delta decoding (bsc#973175).
Patch Instructions:
To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- openSUSE 13.2:
zypper in -t patch openSUSE-2016-452=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.2 (i586 x86_64):
mercurial-3.1.2-7.1 mercurial-debuginfo-3.1.2-7.1 mercurial-debugsource-3.1.2-7.1
- openSUSE 13.2 (noarch):
mercurial-lang-3.1.2-7.1
References:
https://www.suse.com/security/cve/CVE-2016-3068.html https://www.suse.com/security/cve/CVE-2016-3069.html https://www.suse.com/security/cve/CVE-2016-3630.html https://bugzilla.suse.com/973175 https://bugzilla.suse.com/973176 https://bugzilla.suse.com/973177
– To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]