[3.5] mercurial: Multiples vulnerabilities (CVE-2017-9462, CVE-2017-1000115, CVE-2017-1000116)
CVE-2017-9462: Python debugger accessible to authorized users
In Mercurial before 4.1.3, “hg serve —stdio” allows remote authenticated
users to launch the Python debugger,
and consequently execute arbitrary code, by using —debugger as a
repository name.
References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.1.3\_.282017-4-18.29
CVE-2017-1000115: Mercurial’s symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.
References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.3*.2F\_4.3.1*.282017-08-10.29
CVE-2017-1000116: Mercurial was not sanitizing hostnames passed to
ssh, allowing shell
injection attacks on clients by specifying a hostname starting with
-oProxyCommand.
References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.3*.2F\_4.3.1*.282017-08-10.29
(from redmine: issue id 7693, created on 2017-08-15, closed on 2017-08-21)
- Relations:
- parent #7691 (closed)
- Changesets:
- Revision 46f1c492 by Natanael Copa on 2017-08-18T23:09:20Z:
main/mercurial: security upgrade to 4.3.1
fixes #7693
CVE-2017-9462
CVE-2017-1000115
CVE-2017-1000116