Debian Security Advisory
DLA-237-1 mercurial -- LTS security update
- Date Reported:
- 04 Jun 2015
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2014-9390, CVE-2014-9462.
- More information:
Jesse Hertz of Matasano Security discovered that Mercurial, a distributed version control system, is prone to a command injection vulnerability via a crafted repository name in a clone command.
There is a security vulnerability that affects mercurial repositories in a case-insensitive filesystem (eg. VFAT or HFS+). It allows for remote code execution of a specially crafted repository. This is less severe for the average Debian installation as they are usually set up with case-sensitive filesystems.