Several issues were discovered in Mercurial, a distributed revision control system. CVE-2017-9462 (fixed in stretch only) Jonathan Claudius of Mozilla discovered that repositories served over stdio could be tricked into granting authorized users access to the Python debugger. CVE-2017-1000115 Mercurial's symlink auditing was incomplete, and could be abused to write files outside the repository. CVE-2017-1000116 Joern Schneeweisz discovered that Mercurial did not correctly handle maliciously constructed ssh:// URLs. This allowed an attacker to run an arbitrary shell command. For the oldstable distribution (jessie), these problems have been fixed in version 3.1.2-2+deb8u4. For the stable distribution (stretch), these problems have been fixed in version 4.0-1+deb9u1. We recommend that you upgrade your mercurial packages.
Several issues were discovered in Mercurial, a distributed revision control system.
Jonathan Claudius of Mozilla discovered that repositories served over stdio could be tricked into granting authorized users access to the Python debugger.
Mercurial's symlink auditing was incomplete, and could be abused to write files outside the repository.
Joern Schneeweisz discovered that Mercurial did not correctly handle maliciously constructed ssh:// URLs. This allowed an attacker to run an arbitrary shell command.
For the oldstable distribution (jessie), these problems have been fixed in version 3.1.2-2+deb8u4.
For the stable distribution (stretch), these problems have been fixed in version 4.0-1+deb9u1.
We recommend that you upgrade your mercurial packages.