[SECURITY] [DLA 1072-1] mercurial security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : mercurial
Version : 2.2.2-4+deb7u5
CVE ID : CVE-2017-1000115 CVE-2017-1000116
Debian Bug : 871709 871710
Two significant vulnerabilities were found in the Mercurial version
control system which could lead to shell injection attacks and
out-of-tree file overwrite.
CVE-2017-1000115
Mercurial's symlink auditing was incomplete prior to 4.3, and
could be abused to write to files outside the repository.
CVE-2017-1000116
Mercurial was not sanitizing hostnames passed to ssh, allowing
shell injection attacks on clients by specifying a hostname
starting with -oProxyCommand. This vulnerability is similar to
those in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800).
For Debian 7 "Wheezy", these problems have been fixed in version
2.2.2-4+deb7u5.
We recommend that you upgrade your mercurial packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEjckBzmQUbASK1Q+7eSFSUnt1kh4FAlmn+XkACgkQeSFSUnt1
kh6jyQ/+OEuvmcIDUnAScvFHf6SAsA8LduDdNXawHLjyNqf8wssyBADTA57nYZAm
Fe9FYZPIwhG+RNClO+Rj+uzlqFAM4NoX/It5iSEXv6VLD2H56t3sXIe197RLUn1N
ZGISGrwDSW6r9tbnx+Ou/JamwYAL/P4B2SbaA7od0YUHCxTXNOHpD+VXuVzsQnAw
Z3kO6r4xU+/AHXz7BazQ1KE6YyqgeM6LzwEXlfOE7jbGxeQ/WgXaQivW0Eal9HZt
Mtzjnbs98d5EhV/rLCWar4DsKlvIbPK8tihYMID4dC39d4W4KvZh0Pw8UFbsgmT7
qZY5WfAniNYvCit+mbbw79YwXwsTdzfSC9rboytIV+I7WLpQY5YY4TAC/1GQh8EI
qzA+BkW1+OTv2+hNIuytv0qyICOWceGkpw0xD77utIPOx63Szey2dtvtDg97ZWFm
2L1DrgSxLROQVPlKoKwfXcsM2aQbv1Q3SW50deTGiq8FflMYKfPpeijGDR7Ig6ve
3WfzypP6XinDaAF4vVhezWI4Zt+l1AhqNMEi8f5pXSNQqAk3W+qOqbQD5PwMea70
9DKPClOsL5OEcBztQ55fSfbIMJEm2H/x5sbTW5eKiMo9emJWkbfe81IHogHm5XIA
4wvuLKHXTDOle6vzdGWxBpnRBM94ooajZd6h9fI/xiCAg8yp1yA=
=Ud/i
-----END PGP SIGNATURE-----
Reply to: