[SECURITY] [DLA 237-1] mercurial security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 237-1] mercurial security update
From: Guido Günther <agx@debian.org>
Date: Thu, 4 Jun 2015 09:24:39 +0200
Message-id: <[🔎] 20150604072439.GA6975@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@debian.org>, debian-lts-announce@lists.debian.org
Reply-to: debian-lts@lists.debian.org

Package        : mercurial
Version        : 1.6.4-1+deb6u1
CVE ID         : CVE-2014-9390 CVE-2014-9462

CVE-2014-9462

    Jesse Hertz of Matasano Security discovered that Mercurial, a
    distributed version control system, is prone to a command injection
    vulnerability via a crafted repository name in a clone command.

CVE-2014-9390

    is a security vulnerability that affects mercurial repositories in a
    case-insensitive filesystem (eg. VFAT or HFS+).  It allows for remote
    code execution of a specially crafted repository.  This is less
    severe for the average Debian installation as they are usually set
    up with case-sensitive filesystems.

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: [SECURITY] [DLA 236-1] wordpress security update
Next by Date: [SECURITY] [DLA 238-1] fuse security update
Previous by thread: [SECURITY] [DLA 236-1] wordpress security update
Next by thread: [SECURITY] [DLA 238-1] fuse security update
Index(es):
- Date
- Thread