{"id":12690,"date":"2016-04-19T17:07:17","date_gmt":"2016-04-19T09:07:17","guid":{"rendered":"https:\/\/www.deepin.org\/?p=9807"},"modified":"2017-08-31T10:40:50","modified_gmt":"2017-08-31T02:40:50","slug":"security-updates%ef%bc%88dsa-3541-1-dsa-3542-1-dsa-3543-1%ef%bc%89","status":"publish","type":"post","link":"https:\/\/www.deepin.org.cn\/en\/security-updates%ef%bc%88dsa-3541-1-dsa-3542-1-dsa-3543-1%ef%bc%89\/","title":{"rendered":"Security Updates\uff08DSA-3541-1 &#038;DSA-3542-1 &#038;DSA-3543-1\uff09"},"content":{"rendered":"The security updates of roundcube, mercurial and oar.<\/p>\n<p>&nbsp;<\/p>\n<h2>Vulnerability Information<\/h2>\n<p><strong>DSA-3541-1 roundcube\u2014 Security Update<\/strong><\/p>\n<p>Security database details:<\/p>\n<p><a href=\"https:\/\/security-tracker.debian.org\/tracker\/CVE-2015-8770\" target=\"_blank\">CVE-2015-8770<\/a>: High-Tech Bridge Security Research Lab discovered that Roundcube, a webmail client, contained a path traversal vulnerability. This flaw could be exploited by an attacker to access sensitive files on the server, or even execute arbitrary code.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>DSA-3542-1 mercurial\u2014 Security Update<\/strong><\/p>\n<p>Security database details:<\/p>\n<p>Several vulnerabilities have been discovered in Mercurial, a distributed version control system. The Common Vulnerabilities and Exposures project identifies the following issues:<\/p>\n<ul>\n<li><a href=\"https:\/\/security-tracker.debian.org\/tracker\/CVE-2016-3068\">CVE-2016-3068<\/a>:\u00a0Blake Burkhart discovered that Mercurial allows URLs for Git subrepositories that could result in arbitrary code execution on clone.<\/li>\n<li><a href=\"https:\/\/security-tracker.debian.org\/tracker\/CVE-2016-3069\">CVE-2016-3069<\/a>:\u00a0Blake Burkhart discovered that Mercurial allows arbitrary code execution when converting Git repositories with specially crafted names.<\/li>\n<li><a href=\"https:\/\/security-tracker.debian.org\/tracker\/CVE-2016-3630\">CVE-2016-3630<\/a>:\u00a0It was discovered that Mercurial does not properly perform bounds-checking in its binary delta decoder, which may be exploitable for remote code execution via clone, push or pull.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>DSA-3543-1 oar\u2014 Security Update<\/strong><\/p>\n<p>Security database details:<\/p>\n<ul>\n<li><a href=\"https:\/\/security-tracker.debian.org\/tracker\/CVE-2016-1235\">CVE-2016-1235<\/a>: Emmanuel Thome discovered that missing sanitising in the oarsh command of OAR, a software used to manage jobs and resources of HPC clusters, could result in privilege escalation.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Fixing Status<\/h2>\n<p>roundcube security vulnerabilities have been fixed in version 1.1.4+dfsg.1-1; mercurial security vulnerabilities have been fixed in version 3.7.3-1; oar security vulnerabilities have been fixed in version 2.5.7-1.<\/p>\n<p>We recommend that you upgrade the system to obtain the patches to fix the vulnerabilities.","protected":false},"excerpt":{"rendered":"<p>The security updates of roundcube, mercurial and oar. &nbsp; Vulnerability Information DSA-3541-1 roundcube\u2014 Security Update Security database details: CVE-2015-8770: High-Tech Bridge Security Research Lab discovered that Roundcube, a webmail client, contained a path traversal vulnerability. This flaw could be exploited by an attacker to access sensitive files on the server, or even execute arbitrary code. &nbsp; DSA-3542-1 mercurial\u2014 Security Update Security database details: Several vulnerabilities have been discovered in Mercurial, a distributed version control system. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2016-3068:\u00a0Blake Burkhart discovered that Mercurial allows URLs for Git subrepositories that could result in arbitrary ...<a href=https:\/\/www.deepin.org.cn\/en\/security-updates%ef%bc%88dsa-3541-1-dsa-3542-1-dsa-3543-1%ef%bc%89\/>Read more<\/a><\/p>\n","protected":false},"author":27,"featured_media":12694,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[75],"tags":[],"_links":{"self":[{"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/posts\/12690"}],"collection":[{"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/comments?post=12690"}],"version-history":[{"count":9,"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/posts\/12690\/revisions"}],"predecessor-version":[{"id":25287,"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/posts\/12690\/revisions\/25287"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/media?parent=12690"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/categories?post=12690"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/tags?post=12690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}