The security updates of roundcube, mercurial and oar.

 

Vulnerability Information

DSA-3541-1 roundcube— Security Update

Security database details:

CVE-2015-8770: High-Tech Bridge Security Research Lab discovered that Roundcube, a webmail client, contained a path traversal vulnerability. This flaw could be exploited by an attacker to access sensitive files on the server, or even execute arbitrary code.

 

DSA-3542-1 mercurial— Security Update

Security database details:

Several vulnerabilities have been discovered in Mercurial, a distributed version control system. The Common Vulnerabilities and Exposures project identifies the following issues:

  • CVE-2016-3068: Blake Burkhart discovered that Mercurial allows URLs for Git subrepositories that could result in arbitrary code execution on clone.
  • CVE-2016-3069: Blake Burkhart discovered that Mercurial allows arbitrary code execution when converting Git repositories with specially crafted names.
  • CVE-2016-3630: It was discovered that Mercurial does not properly perform bounds-checking in its binary delta decoder, which may be exploitable for remote code execution via clone, push or pull.

 

DSA-3543-1 oar— Security Update

Security database details:

  • CVE-2016-1235: Emmanuel Thome discovered that missing sanitising in the oarsh command of OAR, a software used to manage jobs and resources of HPC clusters, could result in privilege escalation.

 

Fixing Status

roundcube security vulnerabilities have been fixed in version 1.1.4+dfsg.1-1; mercurial security vulnerabilities have been fixed in version 3.7.3-1; oar security vulnerabilities have been fixed in version 2.5.7-1.

We recommend that you upgrade the system to obtain the patches to fix the vulnerabilities.

Leave a Reply