Debian Security Advisory
DSA-3963-1 mercurial -- security update
- Date Reported:
- 04 Sep 2017
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 861243, Bug 871709, Bug 871710.
In Mitre's CVE dictionary: CVE-2017-9462, CVE-2017-1000115, CVE-2017-1000116.
- More information:
Several issues were discovered in Mercurial, a distributed revision control system.
(fixed in stretch only)
Jonathan Claudius of Mozilla discovered that repositories served over stdio could be tricked into granting authorized users access to the Python debugger.
Mercurial's symlink auditing was incomplete, and could be abused to write files outside the repository.
Joern Schneeweisz discovered that Mercurial did not correctly handle maliciously constructed ssh:// URLs. This allowed an attacker to run an arbitrary shell command.
For the oldstable distribution (jessie), these problems have been fixed in version 3.1.2-2+deb8u4.
For the stable distribution (stretch), these problems have been fixed in version 4.0-1+deb9u1.
We recommend that you upgrade your mercurial packages.
- CVE-2017-9462 (fixed in stretch only)