[Python-apps-team] Bug#861243: mercurial: Mercurial before 4.1.3 has a bug which allows remote users unauthorized access to a hg serve --stdio instance
Ethan Blanton
elb at lami.fiji-systems.com
Wed Apr 26 13:27:20 UTC 2017
Package: mercurial
Version: 3.1.2-2+deb8u3
Severity: important
Dear Maintainer,
All versions of Mercurial prior to 4.1.3 have a bug in
'hg serve --stdio' which can allow remote users access to the Python
debugger, from where they have nearly complete access to the local
system. For systems serving Mercurial repositories via ssh, this
could allow unauthorized access to the serving account.
The release notes for 4.1.3 can be found here:
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29
No Debian repository currently ships 4.1.3 or appears to ship any
version of Mercurial with this bug patched.
-- System Information:
Debian Release: 8.7
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages mercurial depends on:
ii libc6 2.19-18+deb8u7
ii mercurial-common 3.1.2-2+deb8u3
ii python 2.7.9-1
ii ucf 3.0030
Versions of packages mercurial recommends:
ii openssh-client 1:6.7p1-5+deb8u3
Versions of packages mercurial suggests:
pn kdiff3 | kdiff3-qt | kompare | meld | tkcvs | mgdiff <none>
pn qct <none>
-- no debconf information
More information about the Python-apps-team
mailing list