Debian Security Advisory

DLA-237-1 mercurial -- LTS security update

Date Reported:
04 Jun 2015
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2014-9390, CVE-2014-9462.
More information:
  • CVE-2014-9462

    Jesse Hertz of Matasano Security discovered that Mercurial, a distributed version control system, is prone to a command injection vulnerability via a crafted repository name in a clone command.

  • CVE-2014-9390

    There is a security vulnerability that affects mercurial repositories in a case-insensitive filesystem (eg. VFAT or HFS+). It allows for remote code execution of a specially crafted repository. This is less severe for the average Debian installation as they are usually set up with case-sensitive filesystems.