Debian Security Advisory
DSA-3963-1 mercurial -- security update
- Date Reported:
- 04 Sep 2017
- Affected Packages:
- mercurial
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 861243, Bug 871709, Bug 871710.
In Mitre's CVE dictionary: CVE-2017-9462, CVE-2017-1000115, CVE-2017-1000116. - More information:
-
Several issues were discovered in Mercurial, a distributed revision control system.
- CVE-2017-9462
(fixed in stretch only)
Jonathan Claudius of Mozilla discovered that repositories served over stdio could be tricked into granting authorized users access to the Python debugger.
- CVE-2017-1000115
Mercurial's symlink auditing was incomplete, and could be abused to write files outside the repository.
- CVE-2017-1000116
Joern Schneeweisz discovered that Mercurial did not correctly handle maliciously constructed ssh:// URLs. This allowed an attacker to run an arbitrary shell command.
For the oldstable distribution (jessie), these problems have been fixed in version 3.1.2-2+deb8u4.
For the stable distribution (stretch), these problems have been fixed in version 4.0-1+deb9u1.
We recommend that you upgrade your mercurial packages.
- CVE-2017-9462
(fixed in stretch only)