Description of problem: Fedora ships with Mercurial 3.5.1-1 but allegedly three CVEs are only fixed in 3.7.3. Version-Release number of selected component (if applicable): 3.5.1-1 How reproducible: Reproducible every time? Steps to Reproduce: 1. Browse to the Mercurial release notes on https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29 . 2. Read about CVEs. 3. Wonder if the Mercurial in Fedora is susceptible to the CVEs. Actual results: Read the following: CVE-2016-3630 Mercurial: remote code execution in binary delta decoding Mercurial prior to 3.7.3 contained two bounds-checking errors in its binary delta decoder that may be exploitable via clone, push, or pull. CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos Mercurial prior to 3.7.3 allowed URLs for Git subrepos that could result in arbitrary code execution on clone. This is a further side-effect of Git CVE-2015-7545. Reported by Blake Burkhart. CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos Mercurial prior to 3.7.3 allowed arbitrary code execution when converting Git repos with hostile names. This could affect automated conversion services. Reported by Blake Burkhart. Start panicking? Expected results: Calm because the problem doesn't affect Fedora or is scheduled to be fixed. Additional info: I can't find any reference to these CVEs anywhere other than the aforementioned wiki page. Perhaps it's a hoax? Information appears to be public so I'm not marking this bug as private.
https://security-tracker.debian.org/tracker/CVE-2016-3068 seems to suggest this is real and https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1408582.html suugests it affects mercurial versions going back to 0.6...
It looks like this might be better handled by #1322268 ...
*** This bug has been marked as a duplicate of bug 1322268 ***