+++ This bug was initially created as a clone of Bug #21502 +++ Mercurial has released version 4.3 on August 10, fixing two security issues: https://www.mercurial-scm.org/wiki/WhatsNew There's also a 4.3.1, apparently released today, already in Cauldron. The announcement was here: https://www.mercurial-scm.org/pipermail/mercurial/2017-August/050522.html Mageia 5 is probably also affected (especially since cvs, git, and svn were).
RedHat has issued an advisory for this today (August 17): https://access.redhat.com/errata/RHSA-2017:2489 They backported patches to 2.6.2, which may be helpful.
mercurial-3.1.1-5.4.mga5 is in testing Suggested advisory: ======================== Updated mercurial packages fix security vulnerabilities: Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116 https://www.mercurial-scm.org/pipermail/mercurial/2017-August/050522.html Updated packages in core/updates_testing: ======================== mercurial-3.1.1-5.4.mga5 from mercurial-3.1.1-5.4.mga5.src.rpm I hope that the backport is ok, will check with the Debian one when it will be ready
Assignee: makowski.mageia => qa-bugs
Installed without issue but it is NOT working. I have tested on several repositories always with the same error below. $ LANGUAGE=C hg status ** unknown exception encountered, please report by visiting ** http://mercurial.selenic.com/wiki/BugTracker ** Python 2.7.9 (default, Aug 13 2016, 16:52:12) [GCC 4.9.2] ** Mercurial Distributed SCM (version 3.1.1) ** Extensions loaded: Traceback (most recent call last): File "/usr/bin/hg", line 43, in <module> mercurial.dispatch.run() File "/usr/lib64/python2.7/site-packages/mercurial/dispatch.py", line 28, in run sys.exit((dispatch(request(sys.argv[1:])) or 0) & 255) File "/usr/lib64/python2.7/site-packages/mercurial/dispatch.py", line 69, in dispatch ret = _runcatch(req) File "/usr/lib64/python2.7/site-packages/mercurial/dispatch.py", line 169, in _runcatch return _dispatch(req) File "/usr/lib64/python2.7/site-packages/mercurial/dispatch.py", line 818, in _dispatch repo = hg.repository(ui, path=path) File "/usr/lib64/python2.7/site-packages/mercurial/hg.py", line 119, in repository peer = _peerorrepo(ui, path, create) File "/usr/lib64/python2.7/site-packages/mercurial/hg.py", line 106, in _peerorrepo obj = _peerlookup(path).instance(ui, path, create) File "/usr/lib64/python2.7/site-packages/mercurial/localrepo.py", line 1782, in instance return localrepository(ui, util.urllocalpath(path), create) File "/usr/lib64/python2.7/site-packages/mercurial/localrepo.py", line 201, in __init__ self.nofsauditor = scmutil.pathauditor(self.root, self._checknested, AttributeError: 'module' object has no attribute 'pathauditor'
CC: (none) => mageia
Philippe, please remember to CC yourself when you assign bugs to QA. See the previous comment.
CC: (none) => makowski.mageiaWhiteboard: (none) => feedback
The previous version I had installed and, after a downgrade, have now installed is working correctly, so a diff of the two versions may help pinpoint the problem. $ rpm -q mercurial mercurial-3.1.1-5.3.mga5
(In reply to David Walser from comment #4) > Philippe, please remember to CC yourself when you assign bugs to QA. See > the previous comment. not really needed, since I receive, and read qa-bugs@ml.mageia.org
(In reply to PC LX from comment #3) > Installed without issue but it is NOT working. I have tested on several > repositories always with the same error below. That's what I was afraid of, the patch is not correct enough, it still need some work unfortunately. Sorry, and thanks for the report.
CC: (none) => qa-bugsAssignee: qa-bugs => makowski.mageia
Created attachment 9653 [details] patch from Debian I will try with the Debian patch
mercurial-3.1.1-5.5.mga5 is in testing Suggested advisory: ======================== Updated mercurial packages fix security vulnerabilities: Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116 https://www.mercurial-scm.org/pipermail/mercurial/2017-August/050522.html Updated packages in core/updates_testing: ======================== mercurial-3.1.1-5.5.mga5 from mercurial-3.1.1-5.5.mga5.src.rpm
Installed and tested without issues. System: Mageia 5, x86_64, Intel CPU. Tests: - did some clone/pull/push commands on remote (ssh) repositories; - did some summary/status/log command on local repositories; - created a new repository and worked on it a bit; - verifying all local repositories (see command below). $ uname -a Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q mercurial mercurial-3.1.1-5.5.mga5 $ P="$(pwd)" ; \ for U in $(find -type d -ipath '*/.hg') ; do \ cd "$U/../" ; \ echo "REPO: $(pwd)" ; \ hg -q verify ; \ cd "$P" ; \ done $ find -type d -ipath '*/.hg' | wc -l 24 $ # all 24 repositories verified OK.
Whiteboard: feedback => feedback MGA5-64-OK
Whiteboard: feedback MGA5-64-OK => MGA5-64-OK
Debian advisory for this from today (September 4): https://www.debian.org/security/2017/dsa-3963
(In reply to PC LX from comment #10) > Installed and tested without issues. A formidable test, for which many thanks. Advisory uploaded from Comment 9. Validating.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
Moving 'advisory' from whiteboard to keywords now that madb has been updated to handle that keyword.
Keywords: (none) => advisoryWhiteboard: MGA5-64-OK advisory => MGA5-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0331.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED