Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Matt Mackall <mpm <at> selenic.com>
Subject: Mercurial 3.7.3 released
Newsgroups: gmane.comp.version-control.mercurial.general
Date: Tuesday 29th March 2016 17:20:19 UTC (over 2 years ago)
This is an out of cycle release to address three security issues.

CVE-2016-3630 Mercurial: remote code execution in binary delta decoding

 Mercurial prior to 3.7.3 contained two bounds-checking errors in its
 binary delta decoder that may be exploitable via clone, push, or pull.

CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos

 Mercurial prior to 3.7.3 allowed URLs for Git subrepos that could
 result in arbitrary code execution on clone. This is a further
 side-effect of Git CVE-2015-7545. Reported by Blake Burkhart.

CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos

 Mercurial prior to 3.7.3 allowed arbitrary code execution when
 converting Git repos with hostile names. This could affect automated
 conversion services. Reported by Blake Burkhart.

 * bdiff: (pure) support array.array arrays (Bts:issue5130)
 * convert: add new, non-clowny interface for shelling out to git (SEC)
 * convert: dead code removal - old git calling functions (SEC)
 * convert: rewrite calls to Git to use the new shelling mechanism (SEC)
 * convert: rewrite gitpipe to use common.commandline (SEC)
 * convert: test for shell injection in git calls (SEC)
 * files: don't recurse into subrepos without a path or -S (Bts:issue5127)
 * hg: perform update after pulling during clone with share
(Bts:issue5103)
 * mq: restrict generated patch name to 75 characters (Bts:issue5117)
 * obsolete: fix n^2 marker computation behavior
 * parsers: detect short records (SEC)
 * parsers: fix list sizing rounding error (SEC)
 * streamclone: fix error when store files grow while stream cloning
 * subrepo: adapt to git's recent renames-by-default
 * subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC)
-- 
Mathematics is the supreme nostalgia of our time.

_______________________________________________
Mercurial mailing list
[email protected]
https://www.mercurial-scm.org/mailman/listinfo/mercurial
 
CD: 22ms