[3.4] mercurial: Multiples vulnerabilities (CVE-2017-9462, CVE-2017-1000115, CVE-2017-1000116)
CVE-2017-9462: Python debugger accessible to authorized users
In Mercurial before 4.1.3, “hg serve —stdio” allows remote authenticated
users to launch the Python debugger,
and consequently execute arbitrary code, by using —debugger as a
repository name.
References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.1.3\_.282017-4-18.29
CVE-2017-1000115: Mercurial’s symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.
References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.3*.2F\_4.3.1*.282017-08-10.29
CVE-2017-1000116: Mercurial was not sanitizing hostnames passed to
ssh, allowing shell
injection attacks on clients by specifying a hostname starting with
-oProxyCommand.
References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.3*.2F\_4.3.1*.282017-08-10.29
(from redmine: issue id 7694, created on 2017-08-15, closed on 2017-08-21)
- Relations:
- parent #7691 (closed)
- Changesets:
- Revision d01cd609 by Natanael Copa on 2017-08-18T23:12:43Z:
main/mercurial: security upgrade to 4.3.1
fixes #7694
CVE-2017-9462
CVE-2017-1000115
CVE-2017-1000116