{"id":"MGASA-2016-0138","summary":"Updated mercurial packages fix security vulnerabilities","details":"Updated mercurial packages fix security vulnerabilities:\n\nBlake Burkhart discovered that Mercurial allows URLs for Git subrepositories\nthat could result in arbitrary code execution on clone (CVE-2016-3068).\n\nBlake Burkhart discovered that Mercurial allows arbitrary code execution when\nconverting Git repositories with specially crafted names (CVE-2016-3069).\n\nIt was discovered that Mercurial does not properly perform bounds-checking in\nits binary delta decoder, which may be exploitable for remote code execution\nvia clone, push or pull (CVE-2016-3630).\n","modified":"2026-04-16T01:47:23.010367138Z","published":"2016-04-13T17:39:04Z","upstream":["CVE-2016-3068","CVE-2016-3069","CVE-2016-3630"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2016-0138.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=18124"},{"type":"WEB","url":"https://www.debian.org/security/2016/dsa-3542"}],"affected":[{"package":{"name":"mercurial","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/mercurial?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.1-5.1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0138.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}