Debian alert DLA-1072-1 (mercurial)
| From: | Antoine Beaupre <anarcat@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 1072-1] mercurial security update | |
| Date: | Thu, 31 Aug 2017 07:57:25 -0400 | |
| Message-ID: | <20170831115725.j5zsoqzymbbdimcs@curie.anarc.at> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : mercurial Version : 2.2.2-4+deb7u5 CVE ID : CVE-2017-1000115 CVE-2017-1000116 Debian Bug : 871709 871710 Two significant vulnerabilities were found in the Mercurial version control system which could lead to shell injection attacks and out-of-tree file overwrite. CVE-2017-1000115 Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository. CVE-2017-1000116 Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks on clients by specifying a hostname starting with -oProxyCommand. This vulnerability is similar to those in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800). For Debian 7 "Wheezy", these problems have been fixed in version 2.2.2-4+deb7u5. We recommend that you upgrade your mercurial packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEjckBzmQUbASK1Q+7eSFSUnt1kh4FAlmn+XkACgkQeSFSUnt1 kh6jyQ/+OEuvmcIDUnAScvFHf6SAsA8LduDdNXawHLjyNqf8wssyBADTA57nYZAm Fe9FYZPIwhG+RNClO+Rj+uzlqFAM4NoX/It5iSEXv6VLD2H56t3sXIe197RLUn1N ZGISGrwDSW6r9tbnx+Ou/JamwYAL/P4B2SbaA7od0YUHCxTXNOHpD+VXuVzsQnAw Z3kO6r4xU+/AHXz7BazQ1KE6YyqgeM6LzwEXlfOE7jbGxeQ/WgXaQivW0Eal9HZt Mtzjnbs98d5EhV/rLCWar4DsKlvIbPK8tihYMID4dC39d4W4KvZh0Pw8UFbsgmT7 qZY5WfAniNYvCit+mbbw79YwXwsTdzfSC9rboytIV+I7WLpQY5YY4TAC/1GQh8EI qzA+BkW1+OTv2+hNIuytv0qyICOWceGkpw0xD77utIPOx63Szey2dtvtDg97ZWFm 2L1DrgSxLROQVPlKoKwfXcsM2aQbv1Q3SW50deTGiq8FflMYKfPpeijGDR7Ig6ve 3WfzypP6XinDaAF4vVhezWI4Zt+l1AhqNMEi8f5pXSNQqAk3W+qOqbQD5PwMea70 9DKPClOsL5OEcBztQ55fSfbIMJEm2H/x5sbTW5eKiMo9emJWkbfe81IHogHm5XIA 4wvuLKHXTDOle6vzdGWxBpnRBM94ooajZd6h9fI/xiCAg8yp1yA= =Ud/i -----END PGP SIGNATURE-----