Issued:
2019-08-06
Updated:
2019-08-06

RHSA-2019:2276 - Security Advisory

Synopsis

Moderate: mercurial security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for mercurial is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mercurial is a fast, lightweight source control management system designed for efficient handling of very large distributed projects.

Security Fix(es):

  • mercurial: Buffer underflow in mpatch.c:mpatch_apply() (CVE-2018-13347)
  • mercurial: HTTP server permissions bypass (CVE-2018-1000132)
  • mercurial: Missing check for fragment start position in mpatch.c:mpatch_apply() (CVE-2018-13346)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server 7 x86_64
  • Red Hat Enterprise Linux Workstation 7 x86_64
  • Red Hat Enterprise Linux Desktop 7 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 7 s390x
  • Red Hat Enterprise Linux for Power, big endian 7 ppc64
  • Red Hat Enterprise Linux for Scientific Computing 7 x86_64
  • Red Hat Enterprise Linux for Power, little endian 7 ppc64le

Fixes

  • BZ - 1553265 - CVE-2018-1000132 mercurial: HTTP server permissions bypass
  • BZ - 1594087 - CVE-2018-13347 mercurial: Buffer underflow in mpatch.c:mpatch_apply()
  • BZ - 1594090 - CVE-2018-13346 mercurial: Missing check for fragment start position in mpatch.c:mpatch_apply()

Red Hat Enterprise Linux Server 7

SRPM
mercurial-2.6.2-10.el7.src.rpm SHA-256: 81e68773fe50d313c02689687df9c98b4253669cac402833426aec7cba84291e
x86_64
emacs-mercurial-2.6.2-10.el7.x86_64.rpm SHA-256: 77de95205585e4230620ceee00a4ac13a90d1649cb7247b305e7e5a12981dd01
emacs-mercurial-el-2.6.2-10.el7.x86_64.rpm SHA-256: c5d3b4e4e4b4eba634eaac0876a599f913df2c0b86086c44678273ceffc8eaf6
mercurial-2.6.2-10.el7.x86_64.rpm SHA-256: 44645260926b0bf1e2789cc88d80805df743cd94946f788bafc2f9cda47188dd
mercurial-debuginfo-2.6.2-10.el7.x86_64.rpm SHA-256: 12183e091020fbabb5f8803d41ca68a0d2051e5f511bc2af4b0c2c69a31ef0f4
mercurial-debuginfo-2.6.2-10.el7.x86_64.rpm SHA-256: 12183e091020fbabb5f8803d41ca68a0d2051e5f511bc2af4b0c2c69a31ef0f4
mercurial-hgk-2.6.2-10.el7.x86_64.rpm SHA-256: da2d77accb4bf050b2cf097ae53c4c23059c31984b36266a920f6e2d3b99d873

Red Hat Enterprise Linux Workstation 7

SRPM
mercurial-2.6.2-10.el7.src.rpm SHA-256: 81e68773fe50d313c02689687df9c98b4253669cac402833426aec7cba84291e
x86_64
emacs-mercurial-2.6.2-10.el7.x86_64.rpm SHA-256: 77de95205585e4230620ceee00a4ac13a90d1649cb7247b305e7e5a12981dd01
emacs-mercurial-el-2.6.2-10.el7.x86_64.rpm SHA-256: c5d3b4e4e4b4eba634eaac0876a599f913df2c0b86086c44678273ceffc8eaf6
mercurial-2.6.2-10.el7.x86_64.rpm SHA-256: 44645260926b0bf1e2789cc88d80805df743cd94946f788bafc2f9cda47188dd
mercurial-debuginfo-2.6.2-10.el7.x86_64.rpm SHA-256: 12183e091020fbabb5f8803d41ca68a0d2051e5f511bc2af4b0c2c69a31ef0f4
mercurial-debuginfo-2.6.2-10.el7.x86_64.rpm SHA-256: 12183e091020fbabb5f8803d41ca68a0d2051e5f511bc2af4b0c2c69a31ef0f4
mercurial-hgk-2.6.2-10.el7.x86_64.rpm SHA-256: da2d77accb4bf050b2cf097ae53c4c23059c31984b36266a920f6e2d3b99d873

Red Hat Enterprise Linux Desktop 7

SRPM
mercurial-2.6.2-10.el7.src.rpm SHA-256: 81e68773fe50d313c02689687df9c98b4253669cac402833426aec7cba84291e
x86_64
emacs-mercurial-2.6.2-10.el7.x86_64.rpm SHA-256: 77de95205585e4230620ceee00a4ac13a90d1649cb7247b305e7e5a12981dd01
emacs-mercurial-el-2.6.2-10.el7.x86_64.rpm SHA-256: c5d3b4e4e4b4eba634eaac0876a599f913df2c0b86086c44678273ceffc8eaf6
mercurial-2.6.2-10.el7.x86_64.rpm SHA-256: 44645260926b0bf1e2789cc88d80805df743cd94946f788bafc2f9cda47188dd
mercurial-debuginfo-2.6.2-10.el7.x86_64.rpm SHA-256: 12183e091020fbabb5f8803d41ca68a0d2051e5f511bc2af4b0c2c69a31ef0f4
mercurial-hgk-2.6.2-10.el7.x86_64.rpm SHA-256: da2d77accb4bf050b2cf097ae53c4c23059c31984b36266a920f6e2d3b99d873

Red Hat Enterprise Linux for IBM z Systems 7

SRPM
mercurial-2.6.2-10.el7.src.rpm SHA-256: 81e68773fe50d313c02689687df9c98b4253669cac402833426aec7cba84291e
s390x
emacs-mercurial-2.6.2-10.el7.s390x.rpm SHA-256: bf7e3a89424b370af0b8ca991f343c35e8ff2e94bd21922af854d5ce917710e3
emacs-mercurial-el-2.6.2-10.el7.s390x.rpm SHA-256: 595cfbe9049e99643c0d38ef36631eb70d3cacb732c09ad964bcfcf8a0afcf89
mercurial-2.6.2-10.el7.s390x.rpm SHA-256: 750b437e846e22a63d2512dc235d5d73e13356f795488acaa48d919a541d65fe
mercurial-debuginfo-2.6.2-10.el7.s390x.rpm SHA-256: 4ac2dd7ff589317485a934852db5588fbe7034aad5d3706013adf8e8053bdc75
mercurial-debuginfo-2.6.2-10.el7.s390x.rpm SHA-256: 4ac2dd7ff589317485a934852db5588fbe7034aad5d3706013adf8e8053bdc75
mercurial-hgk-2.6.2-10.el7.s390x.rpm SHA-256: a2894c0346b377f8dad33d57c474ae52a75aaada8293b9e3730346a07f761e8c

Red Hat Enterprise Linux for Power, big endian 7

SRPM
mercurial-2.6.2-10.el7.src.rpm SHA-256: 81e68773fe50d313c02689687df9c98b4253669cac402833426aec7cba84291e
ppc64
emacs-mercurial-2.6.2-10.el7.ppc64.rpm SHA-256: 7128450f07852d827b81786db6b1c431199294c246d0e45dada59f34b14cbac5
emacs-mercurial-el-2.6.2-10.el7.ppc64.rpm SHA-256: 1f94707e928cb25c1fb91aa7d8767e9378b2f13bb8a387a7e6e2ac6cf377f059
mercurial-2.6.2-10.el7.ppc64.rpm SHA-256: 0d3784b5c4a861f39ef3f33ed1a713cdf04d9b97321ab8d55cda16e0078e93c2
mercurial-debuginfo-2.6.2-10.el7.ppc64.rpm SHA-256: 5f79dae0f729634de4e36f5714d11557d4fd345fb6e411f9c4488aa4550ce2d1
mercurial-debuginfo-2.6.2-10.el7.ppc64.rpm SHA-256: 5f79dae0f729634de4e36f5714d11557d4fd345fb6e411f9c4488aa4550ce2d1
mercurial-hgk-2.6.2-10.el7.ppc64.rpm SHA-256: 586a33acc4fc86885989e4f4fcecf7a8b1b34d29ecd6271926b322380f819e74

Red Hat Enterprise Linux for Scientific Computing 7

SRPM
mercurial-2.6.2-10.el7.src.rpm SHA-256: 81e68773fe50d313c02689687df9c98b4253669cac402833426aec7cba84291e
x86_64
emacs-mercurial-2.6.2-10.el7.x86_64.rpm SHA-256: 77de95205585e4230620ceee00a4ac13a90d1649cb7247b305e7e5a12981dd01
emacs-mercurial-el-2.6.2-10.el7.x86_64.rpm SHA-256: c5d3b4e4e4b4eba634eaac0876a599f913df2c0b86086c44678273ceffc8eaf6
mercurial-2.6.2-10.el7.x86_64.rpm SHA-256: 44645260926b0bf1e2789cc88d80805df743cd94946f788bafc2f9cda47188dd
mercurial-debuginfo-2.6.2-10.el7.x86_64.rpm SHA-256: 12183e091020fbabb5f8803d41ca68a0d2051e5f511bc2af4b0c2c69a31ef0f4
mercurial-hgk-2.6.2-10.el7.x86_64.rpm SHA-256: da2d77accb4bf050b2cf097ae53c4c23059c31984b36266a920f6e2d3b99d873

Red Hat Enterprise Linux for Power, little endian 7

SRPM
mercurial-2.6.2-10.el7.src.rpm SHA-256: 81e68773fe50d313c02689687df9c98b4253669cac402833426aec7cba84291e
ppc64le
emacs-mercurial-2.6.2-10.el7.ppc64le.rpm SHA-256: fdc4325186aa0b6013f9ae5585ca39242a66264aba023e252f2859f8f411e914
emacs-mercurial-el-2.6.2-10.el7.ppc64le.rpm SHA-256: 37abfa025ee9caba6e8882b2fb0704d30792ad8b69aec37d5d278cea4cb22d96
mercurial-2.6.2-10.el7.ppc64le.rpm SHA-256: 61b0eda746afb4c6727823bde5d0713c42c782e6ffd512b920829f9dace6a1fc
mercurial-debuginfo-2.6.2-10.el7.ppc64le.rpm SHA-256: f7599c4b19938ae1f145f79bfd30f683552bcf03ce3b66f911ac79cb2bc87927
mercurial-debuginfo-2.6.2-10.el7.ppc64le.rpm SHA-256: f7599c4b19938ae1f145f79bfd30f683552bcf03ce3b66f911ac79cb2bc87927
mercurial-hgk-2.6.2-10.el7.ppc64le.rpm SHA-256: 9e70d95801ef8e99bb13d168aaf28649a840c14195277f27caf1e20c51434d3c

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.