Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-237-1 mercurial

Debian Security Advisory

DLA-237-1 mercurial -- LTS security update

Date Reported:

04 Jun 2015

Affected Packages:

mercurial

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-9390, CVE-2014-9462.

More information:

• CVE-2014-9462

  Jesse Hertz of Matasano Security discovered that Mercurial, a distributed version control system, is prone to a command injection vulnerability via a crafted repository name in a clone command.

• CVE-2014-9390

  There is a security vulnerability that affects mercurial repositories in a case-insensitive filesystem (eg. VFAT or HFS+). It allows for remote code execution of a specially crafted repository. This is less severe for the average Debian installation as they are usually set up with case-sensitive filesystems.