rpm package
suse/mercurial&distro=SUSE Linux Enterprise Software Development Kit 12 SP2
pkg:rpm/suse/mercurial&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-17458 | Cri | 9.8 | < 2.8.2-15.6.1 | 2.8.2-15.6.1 | Dec 7, 2017 | In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but | |
| CVE-2017-1000116 | Cri | 9.8 | < 2.8.2-15.3.1 | 2.8.2-15.3.1 | Oct 5, 2017 | Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks. | |
| CVE-2017-1000115 | Hig | 7.5 | < 2.8.2-15.3.1 | 2.8.2-15.3.1 | Oct 5, 2017 | Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository | |
| CVE-2017-9462 | Hig | 8.8 | < 2.8.2-14.1 | 2.8.2-14.1 | Jun 6, 2017 | In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name. |
- affected < 2.8.2-15.6.1fixed 2.8.2-15.6.1
In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but
- affected < 2.8.2-15.3.1fixed 2.8.2-15.3.1
Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.
- affected < 2.8.2-15.3.1fixed 2.8.2-15.3.1
Mercurial prior to version 4.3 is vulnerable to a missing symlink check that can malicious repositories to modify files outside the repository
- affected < 2.8.2-14.1fixed 2.8.2-14.1
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.