English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.891414
Category:Debian Local Security Checks
Title:Debian: Security Advisory (DLA-1414-1)
Summary:The remote host is missing an update for the Debian 'mercurial' package(s) announced via the DLA-1414-1 advisory.
Description:Summary:
The remote host is missing an update for the Debian 'mercurial' package(s) announced via the DLA-1414-1 advisory.

Vulnerability Insight:
Some security vulnerabilities were found in Mercurial which allow authenticated users to trigger arbitrary code execution and unauthorized data access in certain server configuration. Malformed patches and repositories can also lead to crashes and arbitrary code execution on clients.

CVE-2017-9462

In Mercurial before 4.1.3, 'hg serve --stdio' allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.

CVE-2017-17458

In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.

CVE-2018-1000132

Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 4.5.1.

OVE-20180430-0001 mpatch: be more careful about parsing binary patch data

OVE-20180430-0002 mpatch: protect against underflow in mpatch_apply

OVE-20180430-0004 mpatch: ensure fragment start isn't past the end of orig

For Debian 8 Jessie, these problems have been fixed in version 3.1.2-2+deb8u5.

We recommend that you upgrade your mercurial packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references]

Affected Software/OS:
'mercurial' package(s) on Debian 8.

Solution:
Please install the updated package(s).

CVSS Score:
10.0

CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2017-17458
BugTraq ID: 102926
http://www.securityfocus.com/bid/102926
https://bz.mercurial-scm.org/show_bug.cgi?id=5730
https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-November/107333.html
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.4.1_.282017-11-07.29
https://lists.debian.org/debian-lts-announce/2017/12/msg00027.html
https://lists.debian.org/debian-lts-announce/2018/07/msg00005.html
https://lists.debian.org/debian-lts-announce/2018/07/msg00041.html
https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html
Common Vulnerability Exposure (CVE) ID: CVE-2017-9462
BugTraq ID: 99123
http://www.securityfocus.com/bid/99123
Debian Security Information: DSA-3963 (Google Search)
http://www.debian.org/security/2017/dsa-3963
https://security.gentoo.org/glsa/201709-18
RedHat Security Advisories: RHSA-2017:1576
https://access.redhat.com/errata/RHSA-2017:1576
Common Vulnerability Exposure (CVE) ID: CVE-2018-1000132
https://lists.debian.org/debian-lts-announce/2018/03/msg00034.html
RedHat Security Advisories: RHSA-2019:2276
https://access.redhat.com/errata/RHSA-2019:2276
Common Vulnerability Exposure (CVE) ID: CVE-2018-13346
https://www.mercurial-scm.org/repo/hg/rev/faa924469635
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29
Common Vulnerability Exposure (CVE) ID: CVE-2018-13347
https://www.mercurial-scm.org/repo/hg-committed/log?rev=modifies%28%22mercurial%2Fmpatch.c%22%29+and+4.5%3A%3A
https://www.mercurial-scm.org/repo/hg/rev/1acfc35d478c
Common Vulnerability Exposure (CVE) ID: CVE-2018-13348
https://www.mercurial-scm.org/repo/hg/rev/90a274965de7
CopyrightCopyright (C) 2018 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.