[SECURITY] [DLA 1072-1] mercurial security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1072-1] mercurial security update
From: Antoine Beaupre <anarcat@debian.org>
Date: Thu, 31 Aug 2017 07:57:25 -0400
Message-id: <[🔎] 20170831115725.j5zsoqzymbbdimcs@curie.anarc.at>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : mercurial
Version        : 2.2.2-4+deb7u5
CVE ID         : CVE-2017-1000115 CVE-2017-1000116
Debian Bug     : 871709 871710

Two significant vulnerabilities were found in the Mercurial version
control system which could lead to shell injection attacks and
out-of-tree file overwrite.

CVE-2017-1000115

    Mercurial's symlink auditing was incomplete prior to 4.3, and
    could be abused to write to files outside the repository.

CVE-2017-1000116

    Mercurial was not sanitizing hostnames passed to ssh, allowing
    shell injection attacks on clients by specifying a hostname
    starting with -oProxyCommand. This vulnerability is similar to
    those in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800).

For Debian 7 "Wheezy", these problems have been fixed in version
2.2.2-4+deb7u5.

We recommend that you upgrade your mercurial packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEjckBzmQUbASK1Q+7eSFSUnt1kh4FAlmn+XkACgkQeSFSUnt1
kh6jyQ/+OEuvmcIDUnAScvFHf6SAsA8LduDdNXawHLjyNqf8wssyBADTA57nYZAm
Fe9FYZPIwhG+RNClO+Rj+uzlqFAM4NoX/It5iSEXv6VLD2H56t3sXIe197RLUn1N
ZGISGrwDSW6r9tbnx+Ou/JamwYAL/P4B2SbaA7od0YUHCxTXNOHpD+VXuVzsQnAw
Z3kO6r4xU+/AHXz7BazQ1KE6YyqgeM6LzwEXlfOE7jbGxeQ/WgXaQivW0Eal9HZt
Mtzjnbs98d5EhV/rLCWar4DsKlvIbPK8tihYMID4dC39d4W4KvZh0Pw8UFbsgmT7
qZY5WfAniNYvCit+mbbw79YwXwsTdzfSC9rboytIV+I7WLpQY5YY4TAC/1GQh8EI
qzA+BkW1+OTv2+hNIuytv0qyICOWceGkpw0xD77utIPOx63Szey2dtvtDg97ZWFm
2L1DrgSxLROQVPlKoKwfXcsM2aQbv1Q3SW50deTGiq8FflMYKfPpeijGDR7Ig6ve
3WfzypP6XinDaAF4vVhezWI4Zt+l1AhqNMEi8f5pXSNQqAk3W+qOqbQD5PwMea70
9DKPClOsL5OEcBztQ55fSfbIMJEm2H/x5sbTW5eKiMo9emJWkbfe81IHogHm5XIA
4wvuLKHXTDOle6vzdGWxBpnRBM94ooajZd6h9fI/xiCAg8yp1yA=
=Ud/i
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1081-1] imagemagick security update
Next by Date: [SECURITY] [DLA 1079-1] libdbd-mysql-perl security update
Previous by thread: [SECURITY] [DLA 1081-1] imagemagick security update
Next by thread: [SECURITY] [DLA 1079-1] libdbd-mysql-perl security update
Index(es):
- Date
- Thread