AXSA:2019-4114:01

Release date: 
Monday, August 19, 2019 - 19:16
Subject: 
mercurial-2.6.2-10.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

Mercurial is a fast, lightweight source control management system designed for efficient handling of very large distributed projects.

Security Fix(es):

* mercurial: Buffer underflow in mpatch.c:mpatch_apply() (CVE-2018-13347)

* mercurial: HTTP server permissions bypass (CVE-2018-1000132)

* mercurial: Missing check for fragment start position in mpatch.c:mpatch_apply() (CVE-2018-13346)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2018-1000132
Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 4.5.1.
CVE-2018-13346
The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004.
CVE-2018-13347
mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
1. mercurial-2.6.2-10.el7.src.rpm
md5sum: 2020d499b790cae083da315829578b1d
sha256sum: e5a5c8d17c066832aae551b4fad1ac1e02ce4ad5702e34f67c6217368721ac1a
Size: 3,693 Kb

Asianux Server 7.0 for x86_64
1. mercurial-2.6.2-10.el7.x86_64.rpm
md5sum: c8f6e290dac65f3d1b9cf13dabacc912
sha256sum: da848fada0f4e91ed6fb012f33e875f614c8228b63586000adb8e79686d6b98e
Size: 2,666 Kb
Copyright© 2007-2015 Asianux. All rights reserved.