[Python-apps-team] Bug#927674: CVE-2019-3902
Moritz Mühlenhoff
jmm at inutil.org
Sun May 26 20:07:11 BST 2019
On Sun, Apr 21, 2019 at 12:32:13AM +0200, Moritz Muehlenhoff wrote:
> Source: mercurial
> Version: 4.8.2-1
> Severity: grave
> Tags: security
>
> See https://www.mercurial-scm.org/wiki/WhatsNew from 4.9:
>
> This was assigned CVE-2019-3902:
> It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking
> logic and write files outside a repository. This has been fixed. Users on older versions
> can either disable subrepositories with [subrepos] allowed=false in their configuration
> or by ensuring any cloned repositories don't contain malicious symlinks.
>
> This is fixed in sid, but buster still has 4.8.2.
A month later this is still unfixed in buster. Does anyone care about having this
in a stable release? Probably not, because noone cared about stretch already either:
https://security-tracker.debian.org/tracker/source-package/mercurial
If that's the case, let's drop it from buster?
Cheers,
Moritz
More information about the Python-apps-team
mailing list