mercurial: CVE-2017-1000116: command injection on clients through malicious ssh URLs

Debian Bug report logs - #871710
mercurial: CVE-2017-1000116: command injection on clients through malicious ssh URLs

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: mercurial:CVE-2017-1000116: command injection on clients through malicious ssh URLs

Date: Thu, 10 Aug 2017 21:59:04 +0200

Source: mercurial
Version: 4.0-1
Severity: grave
Tags: upstream security

Hi,

the following vulnerability was published for mercurial.

CVE-2017-1000116[0]:
command injection on clients through malicious ssh URLs

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-1000116
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 871710-close@bugs.debian.org (full text, mbox, reply):

From: Tristan Seligmann <mithrandi@debian.org>

To: 871710-close@bugs.debian.org

Subject: Bug#871710: fixed in mercurial 4.3.1-1

Date: Fri, 11 Aug 2017 10:19:32 +0000

Source: mercurial
Source-Version: 4.3.1-1

We believe that the bug you reported is fixed in the latest version of
mercurial, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 871710@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tristan Seligmann <mithrandi@debian.org> (supplier of updated mercurial package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 11 Aug 2017 05:00:16 +0200
Source: mercurial
Binary: mercurial-common mercurial
Architecture: source
Version: 4.3.1-1
Distribution: unstable
Urgency: high
Maintainer: Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
Changed-By: Tristan Seligmann <mithrandi@debian.org>
Description:
 mercurial  - easy-to-use, scalable distributed version control system
 mercurial-common - easy-to-use, scalable distributed version control system (common
Closes: 861243 868014 871709 871710
Changes:
 mercurial (4.3.1-1) unstable; urgency=high
 .
   * Urgency high because of important security fixes.
   * New upstream release (closes: #868014).
     - CVE-2017-1000115: Mercurial's symlink auditing was incomplete prior
       to 4.3, and could be abused to write to files outside the
       repository (closes: #871709).
     - CVE-2017-1000116: Mercurial was not sanitizing hostnames passed to
       ssh, allowing shell injection attacks by specifying a hostname
       starting with -oProxyCommand (closes: #871710).
     - CVE-2017-9462: previously fixed in 4.1.3 upstream (closes: #861243).
   * Blacklist test-https.t due to TLS 1.0/1.1 being disabled in OpenSSL in
     unstable.
   * Fix license definitions in debian/copyright.
   * Bump Standards-Version to 4.0.0 (no changes).
   * Run wrap-and-sort -t -s.
Checksums-Sha1:
 57dc975c17618107ecb3d528e3fd861ea444b13f 2225 mercurial_4.3.1-1.dsc
 06cde0a5d555d5c62bb7f791409fd91910c28553 5475042 mercurial_4.3.1.orig.tar.gz
 75081b06541acd75272849b335ace0b956bfdc3e 54052 mercurial_4.3.1-1.debian.tar.xz
 f4c8f729dd7902939cdb4bb9960193f7fac53ead 6564 mercurial_4.3.1-1_source.buildinfo
Checksums-Sha256:
 5f8e9e8ba017f4a4fac3895dad636457c91b69ff4eab0193ad8b46736b351133 2225 mercurial_4.3.1-1.dsc
 2b12f02e3a452adff4ec9cf007017bab0cadb3f37eaf12f4b25a662df73618a2 5475042 mercurial_4.3.1.orig.tar.gz
 451bbaf7dca2d99c2c2eb18a4e275f06b7abf5f5784b08d3caf045d38d5b1832 54052 mercurial_4.3.1-1.debian.tar.xz
 c4731ef459b2c8c5052e1ddd3340ed1a50a3f45b527f519be7a9cc10ea813faf 6564 mercurial_4.3.1-1_source.buildinfo
Files:
 b597cc62d5e567d9f08dad59d0e0ab64 2225 vcs optional mercurial_4.3.1-1.dsc
 b9cbdcf0bd41a2b385b35b9fbfeb0eea 5475042 vcs optional mercurial_4.3.1.orig.tar.gz
 3d5ba7aa476ab96bbcb55cb4094786af 54052 vcs optional mercurial_4.3.1-1.debian.tar.xz
 e72925b9e61deb79b06af897182a98c6 6564 vcs optional mercurial_4.3.1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQGpBAEBCgCTFiEEXAZWhXVRbQoz/6ejwImQ+x9jeJMFAlmNgVBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDVD
MDY1Njg1NzU1MTZEMEEzM0ZGQTdBM0MwODk5MEZCMUY2Mzc4OTMVHG1pdGhyYW5k
aUBkZWJpYW4ub3JnAAoJEMCJkPsfY3iT+RgIAK/PRNDVfhalbNjeY3e4pQUslNeD
NOuUoi7ViMfpPUnmkLy4N+TFNm6yj52o0e/RUSB6qS6KumfybIYnMnifIzxbip4U
YNKrl5drg2CHZYgTrfG+cHJEDKHiibbH2yZ0m0zqcKqxpEJKAPZLekCmLgy4bAi4
4iPYlXKEugRaiyCx2yteoaqDp1fPrpE4yhZCYUqH6YayLwSWeYo4ViGGGxQwOE7G
wRlUSSXIy9mZEhj3DJwgWgtKJQrYIV1mwWatB8ObzSzn0ArVMO/VukyL7rbsRNUY
fWzC8eh6Hs2GlU0pNaeV6SxHOPXfTqvwvFcFuf80wv0CdxZaCXLZOyXNEok=
=Nttf
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.