The security updates of roundcube, mercurial and oar.
Vulnerability Information
DSA-3541-1 roundcube— Security Update
Security database details:
CVE-2015-8770: High-Tech Bridge Security Research Lab discovered that Roundcube, a webmail client, contained a path traversal vulnerability. This flaw could be exploited by an attacker to access sensitive files on the server, or even execute arbitrary code.
DSA-3542-1 mercurial— Security Update
Security database details:
Several vulnerabilities have been discovered in Mercurial, a distributed version control system. The Common Vulnerabilities and Exposures project identifies the following issues:
- CVE-2016-3068: Blake Burkhart discovered that Mercurial allows URLs for Git subrepositories that could result in arbitrary code execution on clone.
- CVE-2016-3069: Blake Burkhart discovered that Mercurial allows arbitrary code execution when converting Git repositories with specially crafted names.
- CVE-2016-3630: It was discovered that Mercurial does not properly perform bounds-checking in its binary delta decoder, which may be exploitable for remote code execution via clone, push or pull.
DSA-3543-1 oar— Security Update
Security database details:
- CVE-2016-1235: Emmanuel Thome discovered that missing sanitising in the oarsh command of OAR, a software used to manage jobs and resources of HPC clusters, could result in privilege escalation.
Fixing Status
roundcube security vulnerabilities have been fixed in version 1.1.4+dfsg.1-1; mercurial security vulnerabilities have been fixed in version 3.7.3-1; oar security vulnerabilities have been fixed in version 2.5.7-1.
We recommend that you upgrade the system to obtain the patches to fix the vulnerabilities.