安全公告详情

NS-SA-2019-0216

2019-11-22 16:16:52

简介

critical: mercurial/firefox security update

严重级别

critical

主题

An update for mercurial/firefox is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

mercurial: Contains byte compiled elisp packages for mercurial. To get started: start emacs, load hg-mode with M-x hg-mode, and show help with C-c h h
firefox: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability.


Security Fix(es):
mercurial: Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 4.5.1.(CVE-2018-1000132)
mercurial: The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data, aka OVE-20180430-0004.(CVE-2018-13346)
mercurial: patch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction, aka OVE-20180430-0002.(CVE-2018-13347)
mercurial: bugfix
firefox: No description is available for this CVE.(CVE-2019-11757)
firefox: No description is available for this CVE.(CVE-2019-11758)
firefox: No description is available for this CVE.(CVE-2019-11762)
firefox: No description is available for this CVE.(CVE-2019-11763)
firefox: No description is available for this CVE.(CVE-2019-11764)
firefox: No description is available for this CVE.(CVE-2019-11759)
firefox: No description is available for this CVE.(CVE-2019-11760)
firefox: No description is available for this CVE.(CVE-2019-11761)
firefox: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F19.

影响组件

  • mercurial
  • firefox

影响产品

  • CGSL MAIN 5.04
  • CGSL CORE 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["emacs-mercurial-2.6.2-10.el7.x86_64.rpm","emacs-mercurial-el-2.6.2-10.el7.x86_64.rpm","mercurial-2.6.2-10.el7.x86_64.rpm","mercurial-debuginfo-2.6.2-10.el7.x86_64.rpm","mercurial-hgk-2.6.2-10.el7.x86_64.rpm"],"source":"mercurial-2.6.2-10.el7.src.rpm"},{"binary":["firefox-68.2.0-1.el7.centos.x86_64.rpm","firefox-debuginfo-68.2.0-1.el7.centos.x86_64.rpm"],"source":"firefox-68.2.0-1.el7.centos.src.rpm"}]},{"product":"CGSL CORE 5.04","pkgs":[{"binary":["mercurial-2.6.2-10.el7.x86_64.rpm","mercurial-debuginfo-2.6.2-10.el7.x86_64.rpm","mercurial-hgk-2.6.2-10.el7.x86_64.rpm","emacs-mercurial-2.6.2-10.el7.x86_64.rpm","emacs-mercurial-el-2.6.2-10.el7.x86_64.rpm"],"source":"mercurial-2.6.2-10.el7.src.rpm"},{"binary":["firefox-68.2.0-1.el7.centos.x86_64.rpm","firefox-debuginfo-68.2.0-1.el7.centos.x86_64.rpm"],"source":"firefox-68.2.0-1.el7.centos.src.rpm"}]}]}

CVE

参考