Slackware Linux update for mercurial

Published: 2016-05-02 | Updated: 2017-05-06

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2015-7545 CVE-2016-3105
CWE-ID	CWE-20 CWE-284
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Slackware Linux Operating systems & Components / Operating system
Vendor	Slackware

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU32315

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2015-7545

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.

Mitigation

Update the affected package mercurial.

Vulnerable software versions

Slackware Linux: 13.0 - 14.1

CPE2.3

External links

https://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.533255

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper access control

EUVDB-ID: #VU32285