[3.6] mercurial: Multiples vulnerabilities (CVE-2017-1000115, CVE-2017-1000116)
CVE-2017-1000115: Mercurial’s symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.
References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.3*.2F\_4.3.1*.282017-08-10.29
CVE-2017-1000116: Mercurial was not sanitizing hostnames passed to
ssh, allowing shell
injection attacks on clients by specifying a hostname starting with
-oProxyCommand.
References:
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.3*.2F\_4.3.1*.282017-08-10.29
(from redmine: issue id 7692, created on 2017-08-15, closed on 2017-08-21)
- Relations:
- parent #7691 (closed)
- Changesets:
- Revision acca7b18 by Natanael Copa on 2017-08-18T21:12:44Z:
main/mercurial: security upgrade to 4.3.1
fixes #7692
CVE-2017-1000115
CVE-2017-1000116