DSA-3963-1 mercurial -- mercurialID: oval:org.secpod.oval:def:603088 | Date: (C)2017-09-06 (M)2023-04-19 |
Class: PATCH | Family: unix |
Several issues were discovered in Mercurial, a distributed revision control system. CVE-2017-9462 Jonathan Claudius of Mozilla discovered that repositories served over stdio could be tricked into granting authorized users access to the Python debugger. CVE-2017-1000115 Mercurial"s symlink auditing was incomplete, and could be abused to write files outside the repository. CVE-2017-1000116 Joern Schneeweisz discovered that Mercurial did not correctly handle maliciously constructed ssh:// URLs. This allowed an attacker to run an arbitrary shell command.
Platform: |
Debian 8.x |
Debian 9.x |