Debian Security Advisory DSA-3963-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

September 04, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------



Package : mercurial

CVE ID : CVE-2017-9462 CVE-2017-1000115 CVE-2017-1000116

Debian Bug : 861243 871709 871710



Several issues were discovered in Mercurial, a distributed revision

control system.



CVE-2017-9462 (fixed in stretch only)



Jonathan Claudius of Mozilla discovered that repositories served

over stdio could be tricked into granting authorized users access to

the Python debugger.



CVE-2017-1000115



Mercurial's symlink auditing was incomplete, and could be abused to

write files outside the repository.



CVE-2017-1000116



Joern Schneeweisz discovered that Mercurial did not correctly handle

maliciously constructed ssh:// URLs. This allowed an attacker to run

an arbitrary shell command.



For the oldstable distribution (jessie), these problems have been fixed

in version 3.1.2-2+deb8u4.



For the stable distribution (stretch), these problems have been fixed in

version 4.0-1+deb9u1.



We recommend that you upgrade your mercurial packages.



Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/



Mailing list: debian-security-announce@lists.debian.org

