Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Debian 8 DLA-1414-1 Moderate: Mercurial Code Execution Issues

debian lts
Calendar Grey July 5, 2018
Dist Debian Esm H88
Vulnerabilities in Mercurial lead to potential unauthorized code execution and exposure of sensitive data. It's advised to apply updates for Debian 8 to mitigate these security risks.
Some security vulnerabilities were found in Mercurial which allow authenticated users to trigger arbitrary code execution and unauthorized data access in certain server configurati...

Summary

In Mercurial before 4.1.3, "hg serve --stdio" allows remote
authenticated users to launch the Python debugger, and
consequently execute arbitrary code, by using --debugger as a
repository name.

CVE-2017-17458

In Mercurial before 4.4.1, it is possible that a specially
malformed repository can cause Git subrepositories to run
arbitrary code in the form of a .git/hooks/post-update script
checked into the repository. Typical use of Mercurial prevents
construction of such repositories, but they can be created
programmatically.

CVE-2018-1000132

Mercurial version 4.5 and earlier contains a Incorrect Access
Control (CWE-285) vulnerability in Protocol server that can result
in Unauthorized data access. This attack appear to be exploitable
via network connectivity. This vulnerability appears to have been
fixed in 4.5.1.

OVE-20180430-0001

mpatch: be more careful about parsing binary patch data

OVE-20180430-0002

Read the Full Advisory


<pre><font face="Courier">Package: mercurial
Version: 3.1.2-2+deb8u5
CVE ID: CVE-2017-9462 CVE-2017-17458 CVE-2018-1000132
Debian Bug: 861243 892964 901050

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here