Note:
This project will be discontinued after December 13, 2021. [more]
2017-06-06
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.
Products | Debian_linux, Mercurial, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_eus, Enterprise_linux_server_tus, Enterprise_linux_workstation |
Type | Incorrect Permission Assignment for Critical Resource (CWE-732) |
First patch | - None (likely due to unavailable code) |
Links |
• https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499
• https://security.gentoo.org/glsa/201709-18 • http://www.securityfocus.com/bid/99123 • http://www.debian.org/security/2017/dsa-3963 • https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html |