Lucene search

Gentoo FoundationMGASA-2017-0182

HistoryJun 26, 2017 - 12:28 p.m.

Updated mercurial packages fix security vulnerability

2017-06-2612:28:17

Gentoo Foundation

advisories.mageia.org

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.03 Low

EPSS

Percentile

90.8%

JSON

In Mercurial before 4.1.3, “hg serve --stdio” allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.

OSVersionArchitecturePackageVersionFilename
Mageia5noarchmercurial< 3.1.1-5.3mercurial-3.1.1-5.3.mga5

OS	Version	Architecture	Package	Version	Filename
Mageia	5	noarch	mercurial	< 3.1.1-5.3	mercurial-3.1.1-5.3.mga5

References

bugs.mageia.org/show_bug.cgi?id=20849

lists.opensuse.org/opensuse-security-announce/2017-06/msg00007.html

www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.03 Low

EPSS

Percentile

90.8%

JSON

Related for MGASA-2017-0182