Debian Security Advisory

DSA-3963-1 mercurial -- security update

Date Reported:
04 Sep 2017
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 861243, Bug 871709, Bug 871710.
In Mitre's CVE dictionary: CVE-2017-9462, CVE-2017-1000115, CVE-2017-1000116.
More information:

Several issues were discovered in Mercurial, a distributed revision control system.

  • CVE-2017-9462 (fixed in stretch only)

    Jonathan Claudius of Mozilla discovered that repositories served over stdio could be tricked into granting authorized users access to the Python debugger.

  • CVE-2017-1000115

    Mercurial's symlink auditing was incomplete, and could be abused to write files outside the repository.

  • CVE-2017-1000116

    Joern Schneeweisz discovered that Mercurial did not correctly handle maliciously constructed ssh:// URLs. This allowed an attacker to run an arbitrary shell command.

For the oldstable distribution (jessie), these problems have been fixed in version 3.1.2-2+deb8u4.

For the stable distribution (stretch), these problems have been fixed in version 4.0-1+deb9u1.

We recommend that you upgrade your mercurial packages.