Explore top 10 tips to secure your open-source projects now. Read More
×Mercurial SCM Web Interface cross site scripting. (CVE-2025-2361) References: - https://bugs.mageia.org/show_bug.cgi?id=34129 - https://www.openwall.com/lists/oss-security/2025/03/21/2 . MGASA-2025-0120 - Updated mercurial packages fix security vulnerability Publication date: 31 Mar 2025 URL: https://advisories.mageia.org/MGASA-2025-0120.html Type: security Affected Mageia releases: 9 CVE: CVE-2025-2361 Mercurial SCM Web Interface cross site scripting. (CVE-2025-2361) References: - https://bugs.mageia.org/show_bug.cgi?id=34129 - https://www.openwall.com/lists/oss-security/2025/03/21/2 - https://lists.mercurial-scm.org/pipermail/mercurial-packaging/2025-March/000754.html - https://lists.debian.org/debian-security-announce/2025/msg00045.html - https://www.cve.org/CVERecord?id=CVE-2025-2361 SRPMS: - 9/core/mercurial-6.5.1-1.1.mga9 . Mercurial SCM Web Interface had a cross site scripting issue fixed in Mageia's security advisory 2025-0120.. mercurial, interface, cross, scripting, (cve-2025-2361), https, //bugs, mageia. . Severity: Important. LinuxSecurity.com Team
* bsc#1239685 Cross-References: * CVE-2025-2361 . # Security update for mercurial Announcement ID: SUSE-SU-2025:1054-1 Release Date: 2025-03-28T16:55:02Z Rating: important References: * bsc#1239685 Cross-References: * CVE-2025-2361 CVSS scores: * CVE-2025-2361 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L * CVE-2025-2361 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L * CVE-2025-2361 ( NVD ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2025-2361 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Affected Products: * Basesystem Module 15-SP6 * openSUSE Leap 15.4 * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP4 LTSS * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server 15 SP5 LTSS * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 An update that solves one vulnerability can now be installed. ## Description: This update for mercurial fixes the following issues: * CVE-2025-2361: Fixed improper sanitization of user-controlled input passed via the cmd parameter in theMercurial SCM Web Interface (bsc#1239685) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch SUSE-2025-1054=1 * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2025-1054=1 * Basesystem Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2025-1054=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-1054=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-1054=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-1054=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-1054=1 * SUSE Linux Enterprise Server 15 SP4 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-1054=1 * SUSE Linux Enterprise Server 15 SP5 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-1054=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2025-1054=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-1054=1 * SUSE Manager Proxy 4.3 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2025-1054=1 * SUSE Manager Retail Branch Server 4.3 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch- Server-4.3-2025-1054=1 * SUSE Manager Server 4.3 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-2025-1054=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586) * mercurial-5.9.1-150400.3.6.1 * mercurial-tests-5.9.1-150400.3.6.1 * mercurial-debuginfo-5.9.1-150400.3.6.1 * mercurial-debugsource-5.9.1-150400.3.6.1 * openSUSE Leap 15.4 (noarch) * mercurial-lang-5.9.1-150400.3.6.1 * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) * mercurial-5.9.1-150400.3.6.1 * mercurial-tests-5.9.1-150400.3.6.1 * mercurial-debuginfo-5.9.1-150400.3.6.1 * mercurial-debugsource-5.9.1-150400.3.6.1 * openSUSE Leap 15.6 (noarch) * mercurial-lang-5.9.1-150400.3.6.1 * Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64) * mercurial-5.9.1-150400.3.6.1 * mercurial-debuginfo-5.9.1-150400.3.6.1 * mercurial-debugsource-5.9.1-150400.3.6.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64) * mercurial-5.9.1-150400.3.6.1 * mercurial-debuginfo-5.9.1-150400.3.6.1 * mercurial-debugsource-5.9.1-150400.3.6.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64) * mercurial-5.9.1-150400.3.6.1 * mercurial-debuginfo-5.9.1-150400.3.6.1 * mercurial-debugsource-5.9.1-150400.3.6.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64 x86_64) * mercurial-5.9.1-150400.3.6.1 * mercurial-debuginfo-5.9.1-150400.3.6.1 * mercurial-debugsource-5.9.1-150400.3.6.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64 x86_64) * mercurial-5.9.1-150400.3.6.1 * mercurial-debuginfo-5.9.1-150400.3.6.1 * mercurial-debugsource-5.9.1-150400.3.6.1 * SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64) * mercurial-5.9.1-150400.3.6.1 * mercurial-debuginfo-5.9.1-150400.3.6.1 * mercurial-debugsource-5.9.1-150400.3.6.1 * SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64) * mercurial-5.9.1-150400.3.6.1 * mercurial-debuginfo-5.9.1-150400.3.6.1 * mercurial-debugsource-5.9.1-150400.3.6.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64) * mercurial-5.9.1-150400.3.6.1 *mercurial-debuginfo-5.9.1-150400.3.6.1 * mercurial-debugsource-5.9.1-150400.3.6.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64) * mercurial-5.9.1-150400.3.6.1 * mercurial-debuginfo-5.9.1-150400.3.6.1 * mercurial-debugsource-5.9.1-150400.3.6.1 * SUSE Manager Proxy 4.3 (x86_64) * mercurial-5.9.1-150400.3.6.1 * mercurial-debuginfo-5.9.1-150400.3.6.1 * mercurial-debugsource-5.9.1-150400.3.6.1 * SUSE Manager Retail Branch Server 4.3 (x86_64) * mercurial-5.9.1-150400.3.6.1 * mercurial-debuginfo-5.9.1-150400.3.6.1 * mercurial-debugsource-5.9.1-150400.3.6.1 * SUSE Manager Server 4.3 (ppc64le s390x x86_64) * mercurial-5.9.1-150400.3.6.1 * mercurial-debuginfo-5.9.1-150400.3.6.1 * mercurial-debugsource-5.9.1-150400.3.6.1 ## References: * https://www.suse.com/security/cve/CVE-2025-2361.html * https://bugzilla.suse.com/show_bug.cgi?id=1239685 . Crucial announcement regarding Mercurial addressing flawed user-data validation. Safeguard against recognized vulnerabilities immediately.. mercurial update, SUSE vulnerability, security patch, software advisory. . Severity: Important. LinuxSecurity.com Team
A cross-site scripting vulnerability was discovered in hgweb, the integrated stand-alone web interface of the Mercurial version control system. . ------------------------------------------------------------------------- Debian LTS Advisory DLA-4094-1
A cross-site scripting vulnerability was discovered in hgweb, the integrated stand-alone web interface of the Mercurial version control system. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5883-1
An update that solves one vulnerability can now be installed.. # mercurial-6.9.4-1.1 on GA media Announcement ID: openSUSE-SU-2025:14912-1 Rating: moderate Cross-References: * CVE-2025-2361 CVSS scores: * CVE-2025-2361 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L * CVE-2025-2361 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L Affected Products: * openSUSE Tumbleweed An update that solves one vulnerability can now be installed. ## Description: These are all security issues fixed in the mercurial-6.9.4-1.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * mercurial 6.9.4-1.1 * mercurial-lang 6.9.4-1.1 * mercurial-tests 6.9.4-1.1 ## References: * https://www.suse.com/security/cve/CVE-2025-2361.html . A moderate security advisory for openSUSE addressing CVE-2025-2361 in Mercurial version 6.9.4-1.1 with recommended updates.. update, solves, vulnerability, installed, mercurial-6, media. . LinuxSecurity.com Team
Several security issues were fixed in Mercurial.. =========================================================================Ubuntu Security Notice USN-5102-1 October 04, 2021 mercurial vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS Summary: Several security issues were fixed in Mercurial. Software Description: - mercurial: easy-to-use, scalable distributed version control system Details: It was discovered that Mercurial mishandled symlinks in subrepositories. An attacker could use this issue to write arbitrary files to the target’s filesystem. (CVE-2019-3902) It was discovered that Mercurial incorrectly handled certain manifest files. An attacker could use this issue to cause a denial of service and possibly execute arbitrary code. (CVE-2018-17983) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS: mercurial 4.5.3-1ubuntu2.2 mercurial-common 4.5.3-1ubuntu2.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5102-1 CVE-2018-17983, CVE-2019-3902 Package Information: https://launchpad.net/ubuntu/+source/mercurial/4.5.3-1ubuntu2.2 . Multiple security issues resolved in Mercurial for Ubuntu 18.04 LTS. Recommended to update for improved safety.. Mercurial Updates, Ubuntu Security Notices, Software Vulnerabilities. . Severity: Critical. LinuxSecurity.com Team
An update that fixes one vulnerability is now available. . SUSE Security Update: Security update for mercurial ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3003-1 Rating: low References: #1133035 Cross-References: CVE-2019-3902 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for mercurial fixes the following issues: Security issue fixed: - CVE-2019-3902: Fixed incorrect patch-checking with symlinks and subrepos (bsc#1133035). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-3003=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): mercurial-2.8.2-15.18.4 mercurial-debuginfo-2.8.2-15.18.4 mercurial-debugsource-2.8.2-15.18.4 References: https://www.suse.com/security/cve/CVE-2019-3902.html https://bugzilla.suse.com/1133035 . SUSE Security Patch for mercurial: addresses a security concern with a minimal severity score. Follow the provided guidance for the update.. SUSE Security Update, Mercurial Patch, Low Severity Fix, Software Security Advisory. . Severity: Low. LinuxSecurity.com Team
Several vulnerabilities were discovered in mercurial, an easy-to-use, scalable distributed version control system. CVE-2017-17458 . -------------------------------------------------------------------------Debian LTS Advisory DLA-2293-1
Get the latest Linux and open source security news straight to your inbox.