Advisories » MGASA-2017-0182

Updated mercurial packages fix security vulnerability

Publication date: 26 Jun 2017
Modification date: 26 Jun 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2017-9462

Description

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated
users to launch the Python debugger, and consequently execute arbitrary
code, by using --debugger as a repository name.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=20849
• https://lists.opensuse.org/opensuse-security-announce/2017-06/msg00007.html
• https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9462

SRPMS

5/core

• mercurial-3.1.1-5.3.mga5