CVE-2017-1000116 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Critical
Remote	Yes
Type	Arbitrary command execution
Description	Mercurial < 4.3 was not sanitizing hostnames passed to ssh, allowing shell injection attacks on clients by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-378	mercurial	4.2.2-1	4.2.3-1	Critical	Fixed

Date	Advisory	Group	Package	Severity	Type
12 Aug 2017	ASA-201708-7	AVG-378	mercurial	Critical	multiple issues

References
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.282017-08-10.29