AVG-378

Package mercurial
Status Fixed
Severity Critical
Type multiple issues
Affected 4.2.2-1
Fixed 4.2.3-1
Current 4.6.1-1 [extra]
Ticket None
Created Thu Aug 10 21:11:56 2017
Issue Severity Remote Type Description
CVE-2017-1000116 Critical Yes Arbitrary command execution
Mercurial < 4.3 was not sanitizing hostnames passed to ssh, allowing shell injection attacks on clients by specifying a hostname starting with...
CVE-2017-1000115 High Yes Arbitrary filesystem access
Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.
Date Advisory Package Description
12 Aug 2017 ASA-201708-7 mercurial multiple issues