mercurial-4.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10070 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z mercurial-4.0-1.1 on GA media These are all security issues fixed in the mercurial-4.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10070 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10070 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2015-7545/ SUSE CVE CVE-2015-7545 page https://www.suse.com/security/cve/CVE-2016-3068/ SUSE CVE CVE-2016-3068 page https://www.suse.com/security/cve/CVE-2016-3069/ SUSE CVE CVE-2016-3069 page https://www.suse.com/security/cve/CVE-2016-3105/ SUSE CVE CVE-2016-3105 page https://www.suse.com/security/cve/CVE-2016-3630/ SUSE CVE CVE-2016-3630 page openSUSE Tumbleweed mercurial-4.0-1.1 mercurial-lang-4.0-1.1 mercurial-4.0-1.1 as a component of openSUSE Tumbleweed mercurial-lang-4.0-1.1 as a component of openSUSE Tumbleweed The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule. CVE-2015-7545 openSUSE Tumbleweed:mercurial-4.0-1.1 openSUSE Tumbleweed:mercurial-lang-4.0-1.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7545.html CVE-2015-7545 https://bugzilla.suse.com/948969 SUSE Bug 948969 https://bugzilla.suse.com/973177 SUSE Bug 973177 https://bugzilla.suse.com/978391 SUSE Bug 978391 Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted git ext:: URL when cloning a subrepository. CVE-2016-3068 openSUSE Tumbleweed:mercurial-4.0-1.1 openSUSE Tumbleweed:mercurial-lang-4.0-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3068.html CVE-2016-3068 https://bugzilla.suse.com/973175 SUSE Bug 973175 https://bugzilla.suse.com/973177 SUSE Bug 973177 Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository. CVE-2016-3069 openSUSE Tumbleweed:mercurial-4.0-1.1 openSUSE Tumbleweed:mercurial-lang-4.0-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3069.html CVE-2016-3069 https://bugzilla.suse.com/973175 SUSE Bug 973175 https://bugzilla.suse.com/973176 SUSE Bug 973176 The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name. CVE-2016-3105 openSUSE Tumbleweed:mercurial-4.0-1.1 openSUSE Tumbleweed:mercurial-lang-4.0-1.1 moderate 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3105.html CVE-2016-3105 https://bugzilla.suse.com/978391 SUSE Bug 978391 The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records. CVE-2016-3630 openSUSE Tumbleweed:mercurial-4.0-1.1 openSUSE Tumbleweed:mercurial-lang-4.0-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3630.html CVE-2016-3630 https://bugzilla.suse.com/973175 SUSE Bug 973175