Red Hat Security Advisory 2019-2276-01

Red Hat Security Advisory 2019-2276-01: Posted Aug 6, 2019; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2019-2276-01 - Mercurial is a fast, lightweight source control management system designed for efficient handling of very large distributed projects. Issues addressed include a bypass vulnerability.; tags | advisory, bypass; systems | linux, redhat; advisories | CVE-2018-1000132, CVE-2018-13346, CVE-2018-13347; SHA-256 | f643a26ca4764ba8bce6f93f301a04a1ba6a72a9c9ad86fd1fca73eed62dd5c3; Download | Favorite | View

Red Hat Security Advisory 2019-2276-01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Moderate: mercurial security update
Advisory ID:       RHSA-2019:2276-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:2276
Issue date:        2019-08-06
CVE Names:         CVE-2018-13346 CVE-2018-13347 CVE-2018-1000132
====================================================================
1. Summary:

An update for mercurial is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Mercurial is a fast, lightweight source control management system designed
for efficient handling of very large distributed projects.

Security Fix(es):

* mercurial: Buffer underflow in mpatch.c:mpatch_apply() (CVE-2018-13347)

* mercurial: HTTP server permissions bypass (CVE-2018-1000132)

* mercurial: Missing check for fragment start position in
mpatch.c:mpatch_apply() (CVE-2018-13346)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.7 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1553265 - CVE-2018-1000132 mercurial: HTTP server permissions bypass
1594087 - CVE-2018-13347 mercurial: Buffer underflow in mpatch.c:mpatch_apply()
1594090 - CVE-2018-13346 mercurial: Missing check for fragment start position in mpatch.c:mpatch_apply()

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):

Source:
mercurial-2.6.2-10.el7.src.rpm

x86_64:
emacs-mercurial-2.6.2-10.el7.x86_64.rpm
emacs-mercurial-el-2.6.2-10.el7.x86_64.rpm
mercurial-2.6.2-10.el7.x86_64.rpm
mercurial-debuginfo-2.6.2-10.el7.x86_64.rpm
mercurial-hgk-2.6.2-10.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:
mercurial-2.6.2-10.el7.src.rpm

x86_64:
emacs-mercurial-2.6.2-10.el7.x86_64.rpm
emacs-mercurial-el-2.6.2-10.el7.x86_64.rpm
mercurial-2.6.2-10.el7.x86_64.rpm
mercurial-debuginfo-2.6.2-10.el7.x86_64.rpm
mercurial-hgk-2.6.2-10.el7.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
mercurial-2.6.2-10.el7.src.rpm

ppc64:
mercurial-2.6.2-10.el7.ppc64.rpm
mercurial-debuginfo-2.6.2-10.el7.ppc64.rpm

ppc64le:
mercurial-2.6.2-10.el7.ppc64le.rpm
mercurial-debuginfo-2.6.2-10.el7.ppc64le.rpm

s390x:
mercurial-2.6.2-10.el7.s390x.rpm
mercurial-debuginfo-2.6.2-10.el7.s390x.rpm

x86_64:
mercurial-2.6.2-10.el7.x86_64.rpm
mercurial-debuginfo-2.6.2-10.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:
emacs-mercurial-2.6.2-10.el7.ppc64.rpm
emacs-mercurial-el-2.6.2-10.el7.ppc64.rpm
mercurial-debuginfo-2.6.2-10.el7.ppc64.rpm
mercurial-hgk-2.6.2-10.el7.ppc64.rpm

ppc64le:
emacs-mercurial-2.6.2-10.el7.ppc64le.rpm
emacs-mercurial-el-2.6.2-10.el7.ppc64le.rpm
mercurial-debuginfo-2.6.2-10.el7.ppc64le.rpm
mercurial-hgk-2.6.2-10.el7.ppc64le.rpm

s390x:
emacs-mercurial-2.6.2-10.el7.s390x.rpm
emacs-mercurial-el-2.6.2-10.el7.s390x.rpm
mercurial-debuginfo-2.6.2-10.el7.s390x.rpm
mercurial-hgk-2.6.2-10.el7.s390x.rpm

x86_64:
emacs-mercurial-2.6.2-10.el7.x86_64.rpm
emacs-mercurial-el-2.6.2-10.el7.x86_64.rpm
mercurial-debuginfo-2.6.2-10.el7.x86_64.rpm
mercurial-hgk-2.6.2-10.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
mercurial-2.6.2-10.el7.src.rpm

x86_64:
mercurial-2.6.2-10.el7.x86_64.rpm
mercurial-debuginfo-2.6.2-10.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
emacs-mercurial-2.6.2-10.el7.x86_64.rpm
emacs-mercurial-el-2.6.2-10.el7.x86_64.rpm
mercurial-debuginfo-2.6.2-10.el7.x86_64.rpm
mercurial-hgk-2.6.2-10.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-13346
https://access.redhat.com/security/cve/CVE-2018-13347
https://access.redhat.com/security/cve/CVE-2018-1000132
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.7_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXUl3AtzjgjWX9erEAQhjhA//VTryyZIazdoGTgKosdoix5y+kVqu10IT
v6EGtfh+5uymKwfNe641fXWcYjwWqNiPpBdjB9oC5ZnKC0yxmAzB6VNPBOx80LK9
4mo4pzyknBgMFfWqVmozEO7l8e2BenKQIzeZb6MSJpHaME9cemDLNlhgKT2XthHW
sM36fbQQLuuaXFXfPLlFUksUSyenkKGKCe2+HB8aIcCsTBOfZmixD3NkkJ1Shiyx
s8kho3Ha1qo0C/AAPKOwtnUdHcq+t2YKS4vsDBVPrAKsxTQ3FgEGNhW2CMyxZZ/e
x/CL4U7PDTLnx8DvH1oTLMe49OvzzP7wm3mmsBAzOt1V90uVbvXwXHenTB0vj3wr
50HfnBCwBHlRUA0dwDuMpG6ucypl9i5aO+M605ozU7BJG/j5I66vDhdQPD4yxmOe
oYpcxY4fp9t68irhYFUEYXaYsIhD6OEG2FT0iU3OfQdejY1RHgImlacYzzR5IsQj
8cjwrgR7/sZtlhMP4U/s1ajeW26HMVIe76q4lU6bZ04VSM8/2N4ax4UZT9/uGboh
qETwscQtywLEw6Y9CYxIWqLJR2aFZnHWXcdVJaO/RjSbS4SuuzQ18jS+cJIrm1tl
eArP8gE6jRYZAn03aa9AnfIn3fYB31ta8/pLUPsfksLfsw6SP8T5rAMEtnRqrVox
5Xx7JwzLEi8=XUsW
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Top Authors In Last 30 Days

Red Hat 252 files
indoushka 165 files
Jay Turla 150 files
Ubuntu 71 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,119)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,136)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,775)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,828)
UNIX (9,454)
UnixWare (188)
Windows (6,766)
Other

Red Hat Security Advisory 2019-2276-01

Red Hat Security Advisory 2019-2276-01

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Red Hat Security Advisory 2019-2276-01

Share This

Red Hat Security Advisory 2019-2276-01

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems