USN-5102-2: Mercurial vulnerabilities

Publication date

16 March 2021

Overview

Mercurial could be made to overwrite files.


Packages

  • mercurial - easy-to-use, scalable distributed version control system

Details

USN-5102-1 fixed vulnerabilities in Mercurial. This update provides the
corresponding updates for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.

Original advisory details:

It was discovered that Mercurial mishandled symlinks in subrepositories. An
attacker could use this issue to write arbitrary files to the
target’s filesystem. (CVE-2019-3902)

It was discovered that Mercurial incorrectly handled certain manifest files.
An attacker could use this issue to cause a denial of service and possibly
execute arbitrary code. This issue only affected Ubuntu 16.04 ESM. (CVE-2018-17983)

USN-5102-1 fixed vulnerabilities in Mercurial. This update provides the
corresponding updates for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.

Original advisory details:

It was discovered that Mercurial mishandled symlinks in subrepositories. An
attacker could use this issue to write arbitrary files to the
target’s filesystem. (CVE-2019-3902)

It was discovered that Mercurial incorrectly handled certain manifest files.
An attacker could use this issue to cause a denial of service and possibly
execute arbitrary code. This issue only affected Ubuntu 16.04 ESM. (CVE-2018-17983)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
16.04 xenial mercurial –  3.7.3-1ubuntu1.2+esm2  
mercurial-common –  3.7.3-1ubuntu1.2+esm2  
14.04 trusty mercurial –  2.8.2-1ubuntu1.4+esm1  
mercurial-common –  2.8.2-1ubuntu1.4+esm1  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.


Have additional questions?

Talk to a member of the team ›