FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Mercurial -- multiple vulnerabilities

Affected packages
mercurial < 4.3

Details

VuXML ID 1d33cdee-7f6b-11e7-a9b5-3debb10a6871
Discovery 2017-08-10
Entry 2017-08-12

Mercurial Release Notes:

CVE-2017-1000115

Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.

CVE-2017-1000116

Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks on clients by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed.

References

CVE Name CVE-2017-1000115
CVE Name CVE-2017-1000116
URL https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.2F_4.3.1_.282017-08-10.29