Summary: | <dev-vcs/mercurial-3.8.4: arbitrary code execution when converting git repos (CVE-2016-3105) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | djc, polynomial-c, skrattaren |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1332945 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=599168 | ||
Whiteboard: | B2 [glsa cve cleanup] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2016-05-06 08:48:45 UTC
Yes, feel free to stabilize. CVE-2016-3105 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3105): The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name. @arches, please stabilize: =dev-vcs/mercurial-3.8.4 Yes, the bug title differs as 3.8.1 is the actual fixed version thus it needs to reflect for GLSA reasons. Thanks. Stable for HPPA PPC64. amd64 stable x86 stable arm stable Stable on alpha. ppc stable sparc stable ia64 stable. Maintainer(s), please cleanup. This issue was resolved and addressed in GLSA 201612-19 at https://security.gentoo.org/glsa/201612-19 by GLSA coordinator Aaron Bauman (b-man). |