[3.3] mercurial: Multiples vulnerabilities (CVE-2017-9462, CVE-2017-1000115, CVE-2017-1000116)
CVE-2017-9462: Python debugger accessible to authorized users
In Mercurial before 4.1.3, “hg serve —stdio” allows remote authenticated
users to launch the Python debugger,
and consequently execute arbitrary code, by using —debugger as a
repository name.
References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.1.3\_.282017-4-18.29
CVE-2017-1000115: Mercurial’s symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.
References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.3*.2F\_4.3.1*.282017-08-10.29
CVE-2017-1000116: Mercurial was not sanitizing hostnames passed to
ssh, allowing shell
injection attacks on clients by specifying a hostname starting with
-oProxyCommand.
References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.3*.2F\_4.3.1*.282017-08-10.29
(from redmine: issue id 7695, created on 2017-08-15, closed on 2017-08-21)
- Relations:
- parent #7691 (closed)
- Changesets:
- Revision cdafec62 by Natanael Copa on 2017-08-18T23:17:58Z:
main/mercurial: security upgrade to 4.3.1
fixes #7695
CVE-2017-9462
CVE-2017-1000115
CVE-2017-1000116