Control: found -1 0.6-1 On Tue, Mar 29, 2016 at 21:34:20 +0200, Salvatore Bonaccorso wrote:
> Source: mercurial > Version: 3.7.2-2 > Severity: grave > Tags: security upstream fixed-upstream > > Hi, > > the following vulnerabilities were published for mercurial. > > CVE-2016-3068[0]: > arbitrary code execution with Git subrepos > > CVE-2016-3069[1]: > arbitrary code execution when converting Git repos > > CVE-2016-3630[2]: > remote code execution in binary delta decoding > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2016-3068 > [1] https://security-tracker.debian.org/tracker/CVE-2016-3069 > [2] https://security-tracker.debian.org/tracker/CVE-2016-3630 > [3] > https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29 > > Please adjust the affected versions in the BTS as needed. > 19:25:27 < SpComb> is there a lower bound on old versions affected by CVE-2016-3630? 19:25:50 <@mpm> Roughly... 0.6 Javi: I already told Salvatore on IRC, but I should be able to make some time tomorrow to prepare updates for sid/jessie/wheezy if that would help; just let me know. Cheers, Julien
