Debian Security Advisory

DLA-459-1 mercurial -- LTS security update

Date Reported:
06 May 2016
Affected Packages:
mercurial
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2016-3105.
More information:

Blake Burkhart discovered an arbitrary code execution flaw in Mercurial, a distributed version control system, when using the convert extension on Git repositories with specially crafted names. This flaw in particular affects automated code conversion services that allow arbitrary repository names.

Patches are taken from the Jessie version.

For Debian 6 Squeeze, these issues have been fixed in mercurial version 2.2.2-4+deb7u3