On Sun, Dec 21, 2014 at 12:38:02PM +0100, Javi Merino wrote: > Package: mercurial > Version: 3.1.2-1 > Severity: important > Tags: security upstream > > CVE-2014-9390[0][1] is a security vulnerability that affects mercurial > repositories in a case-sensitive filesystem (eg. VFAT or HFS+). It > allows for remote code execution of a specially crafted repository. > This is less severe for the average Debian installation as they are > usually set up with case-insensitive filesystems. > > [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390 > [1] https://security-tracker.debian.org/tracker/CVE-2014-9390 > > This affects both Wheezy and Jessie.
In Ubuntu[0] they've fixed it by applying the following patches: - http://selenic.com/repo/hg-stable/rev/035434b407be - http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3 - http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e - http://selenic.com/repo/hg-stable/rev/7a5bcd471f2e - http://selenic.com/repo/hg-stable/rev/6dad422ecc5a [0] https://bugs.launchpad.net/ubuntu/+source/git/+bug/1404035 [1] https://launchpadlibrarian.net/193058010/mercurial_3.1.2-1ubuntu1_source.changes I'm working on applying the same patches. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org