Debian alert DLA-1764-1 (mercurial)

From:
             
 
"Chris Lamb" <lamby@debian.org> 
To:
             
 
debian-lts-announce@lists.debian.org 
Subject:
             
 
[SECURITY] [DLA 1764-1] mercurial security update 
Date:
             
 
Thu, 25 Apr 2019 13:31:46 -0400
Message-ID:
             
 
<82a5085a-4610-46df-85d6-78b70cc15fba@www.fastmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : mercurial
Version        : 3.1.2-2+deb8u7
CVE ID         : CVE-2019-3902
Debian Bug     : #927674

It was discovered that there was a path traversal vulnerability in
the "mercurial" distributed revision version control system.

Symbolic links and subrepositories could be used defeat Mercurial's
path-checking logic and write files outside the repository root.

For Debian 8 "Jessie", this issue has been fixed in mercurial version
3.1.2-2+deb8u7.

We recommend that you upgrade your mercurial packages.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlzB7uYACgkQHpU+J9Qx
HlhIWhAAo+ifxwrm/7ZsDfWkAn27/3oEHCBK/QKMNLuRIdK9YI368buAJAWntwBZ
3MF+fYlBbnrv4HRSjfo6GTEOvcjLx8hdavjdFQ5pJdFmxdv1ffrXgzXfuhip6vFS
k1UcnrU136DAegV9o+MNgDfsV/+/3FY7xPP1CvGXLrI9yh6W2SP20dpmSxjET588
lWaK5ts2nkg33j4M45stGGjSzTp06TYcBKkbUUEtKm64SmGBPT5kDIC6e2EMkaj1
7V9pHeybjpmKNSzLseAystlNOpietpSzvlpnfYfT9XZkkaYWDDK03zKSpri0O1yt
KWkCULHXSQPuRXz5fb5OgIfGhDlm/2G6kqUg8WeD/RTLb1U/o88xBd7rA0aLFBgV
6A1KThE7q0Q/CAHjvoN02RmhaNua+H7OheZD+ULPZJADuBu21xViKUYGdvoyDaor
su/g4X26RABpATXlyWKaPzRI6/QVvU6koLt3hIOR/oljTfdFS56r0jEfnORzh+08
atILUNDeCKqjUg0fYzcE8P7ybBDNSKrFwd99nb2O7AoUuN15TfCWT7LXfyXePUx1
I7kE/yrWr+wSTp4clHkCXNCELqvVeltYLaOOZJJWvl5HRQ3rc+uEMWema8+5Trj3
BXn8WRymkhDX5WbPbAyf2p2O6OxBDiuHtL+MbCzVoVdIYhrU6tg=
=crEM
-----END PGP SIGNATURE-----