CVE-2017-1000116

Source
Severity Critical
Remote Yes
Type Arbitrary command execution
Description
Mercurial < 4.3 was not sanitizing hostnames passed to ssh, allowing shell injection attacks on clients by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed.
Group Package Affected Fixed Severity Status Ticket
AVG-378 mercurial 4.2.2-1 4.2.3-1 Critical Fixed
Date Advisory Group Package Severity Description
12 Aug 2017 ASA-201708-7 AVG-378 mercurial Critical multiple issues
References
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.282017-08-10.29