mercurial -- security update

2017-09-04T00:00:00
ID DSA-3963
Type debian
Reporter Debian
Modified 2017-09-04T00:00:00

Description

Several issues were discovered in Mercurial, a distributed revision control system.

Jonathan Claudius of Mozilla discovered that repositories served over stdio could be tricked into granting authorized users access to the Python debugger.

Mercurial's symlink auditing was incomplete, and could be abused to write files outside the repository.

Joern Schneeweisz discovered that Mercurial did not correctly handle maliciously constructed ssh:// URLs. This allowed an attacker to run an arbitrary shell command.

For the oldstable distribution (jessie), these problems have been fixed in version 3.1.2-2+deb8u4.

For the stable distribution (stretch), these problems have been fixed in version 4.0-1+deb9u1.

We recommend that you upgrade your mercurial packages.