diff options
author | Graham Christensen <graham@grahamc.com> | 2016-04-07 21:24:49 -0500 |
---|---|---|
committer | Graham Christensen <graham@grahamc.com> | 2016-04-07 21:24:49 -0500 |
commit | f9099deb8ed18935b993b90c769af3f55bfcbb00 (patch) | |
tree | 457efdf691d2ff90840718971905b8067332e281 /pkgs | |
parent | 0db23cf75cdcb80f4d238b8487026e8d602c8a0f (diff) |
mercurial: 3.7.1 -> 3.7.3 for multiple CVEs
CVE-2016-3068 Blake Burkhart discovered that Mercurial allows URLs for Git subrepositories that could result in arbitrary code execution on clone. CVE-2016-3069 Blake Burkhart discovered that Mercurial allows arbitrary code execution when converting Git repositories with specially crafted names. CVE-2016-3630 It was discovered that Mercurial does not properly perform bounds- checking in its binary delta decoder, which may be exploitable for remote code execution via clone, push or pull.
Diffstat (limited to 'pkgs')
-rw-r--r-- | pkgs/applications/version-management/mercurial/default.nix | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/pkgs/applications/version-management/mercurial/default.nix b/pkgs/applications/version-management/mercurial/default.nix index b99727b2c9b61..f44baad4715b0 100644 --- a/pkgs/applications/version-management/mercurial/default.nix +++ b/pkgs/applications/version-management/mercurial/default.nix @@ -3,7 +3,7 @@ , ApplicationServices, cf-private }: let - version = "3.7.1"; + version = "3.7.3"; name = "mercurial-${version}"; in @@ -12,7 +12,7 @@ stdenv.mkDerivation { src = fetchurl { url = "http://mercurial.selenic.com/release/${name}.tar.gz"; - sha256 = "1vfgqlb8z2k1vcx2nvcianxmml79cqqqncchw6aj40sa8hgpvlwn"; + sha256 = "0c2vkad9piqkggyk8y310rf619qgdfcwswnk3nv21mg2fhnw96f0"; }; inherit python; # pass it so that the same version can be used in hg2git |