[Python-apps-team] Bug#927674: CVE-2019-3902
Moritz Muehlenhoff
jmm at debian.org
Sat Apr 20 23:32:13 BST 2019
Source: mercurial
Version: 4.8.2-1
Severity: grave
Tags: security
See https://www.mercurial-scm.org/wiki/WhatsNew from 4.9:
This was assigned CVE-2019-3902:
It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking
logic and write files outside a repository. This has been fixed. Users on older versions
can either disable subrepositories with [subrepos] allowed=false in their configuration
or by ensuring any cloned repositories don't contain malicious symlinks.
This is fixed in sid, but buster still has 4.8.2.
Cheers,
Moritz
More information about the Python-apps-team
mailing list