漏洞类别:Amazon Linux
漏洞等级: 
漏洞信息
Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2016-3630: The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records.
1322264: CVE-2016-3630 mercurial: remote code execution in binary delta decoding
CVE-2016-3069: It was discovered that the Mercurial convert extension failed to sanitize special characters in Git repository names. A Git repository with a specially crafted name could cause Mercurial to execute arbitrary code when the Git repository was converted to a Mercurial repository.
1320155: CVE-2016-3069 mercurial: convert extension command injection via git repository names
CVE-2016-3068: It was discovered that Mercurial failed to properly check Git sub-repository URLs. A Mercurial repository that includes a Git sub-repository with a specially crafted URL could cause Mercurial to execute arbitrary code.
1319768: CVE-2016-3068 mercurial: command injection via git subrepository urls
漏洞危害
Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
解决方案
Administrators are advised to apply the appropriate software updates.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论