Upstream has released version 4.1.3 on April 18, fixing a security issue: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29
updated in cauldron
Resolution: (none) => FIXEDStatus: NEW => RESOLVEDCC: (none) => mageia
openSUSE has issued an advisory for this on June 13: https://lists.opensuse.org/opensuse-security-announce/2017-06/msg00007.html They identified this issue as CVE-2017-9462. Apparently it affects older versions too.
Resolution: FIXED => (none)Summary: mercurial new security issue fixed upstream in 4.1.3 => mercurial new security issue fixed upstream in 4.1.3 (CVE-2017-9462)Version: Cauldron => 5Status: RESOLVED => REOPENED
https://lists.opensuse.org/opensuse-updates/2017-06/msg00049.html
Advisory: ======================== Updated mercurial package fixes security vulnerabilities: In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9462 https://lists.opensuse.org/opensuse-security-announce/2017-06/msg00007.html https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29 ======================== Updated packages in core/updates_testing: ======================== mercurial-3.1.1-5.3.mga5 from mercurial-3.1.1-5.3.mga5.src.rpm
Status: REOPENED => ASSIGNEDCVE: (none) => CVE-2017-9462Assignee: makowski.mageia => qa-bugs
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
MGA5-32 on Asus A6000VM Xfce No installation issues. Did the test on this single machine, following procedure in bug18366 Comment 8 with two remarks: 1. Len forgot to copy another clone command that is needed before the line "cd my-hello-new-output" needed is "$ hg clone my-hello my-hello-new-output" 2. The original mercurial tutorial has been moved to: https://www.mercurial-scm.org/wiki/Tutorial Test OK for me. I will copy my CLI history to a file and attach it to this bug.
CC: (none) => herman.viaeneWhiteboard: advisory => advisory MGA5-32-OK
Created attachment 9428 [details] testing procedure
Many thanks to Herman for posting the long test procedure - the attachment Comment 6. Testing Mageia 5 x64 Installed initially from issued repos: mercurial-3.1.1-5.2.mga5 I started to run through the test, but ran into some glitches:- 1. The original test path given in: https://bugs.mageia.org/show_bug.cgi?id=15590#c4 starts by creating file '~/.hgrc'; DO THIS FIRST. [ui] username = someUsername <someEmail@address> ssh = ssh -C without which (at least the 'username' line) the commit 'hg ci' does not work. 2. ├── tmp │ ├── repo │ │ ├── my-hello │ │ ├── my-hello-new-output │ │ └── my-hello-share/hello.c The note "added new printf command in hello.c" refers to an arbitrary edit to this file to create a change. If you use vi, it may leave a backup copy 'hello.c~' which confuses things thereafter. 3. Unexpectedly, the '$ hg ci' command opens a vi window where you have to insert at the start (vi syntax, 'i' etc) a commit message. Be careful; if you do something wrong, you get into deep water and cannot re-do it. 4. The "hg revert hello.c" line lacks its leading '$' so you might overlook that it is a command to do. It is, & not a comment. 5. At the end, you may want to tidy up; from HOME: $ rm -rf tmp/repo UPDATED to: mercurial-3.1.1-5.3.mga5 Heeding these cautions, the given procedure worked exactly as described. Phew! OK and validating.
Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OKKeywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0182.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED