Ubuntu has issued an advisory on August 6:
The issue is fixed upstream in 4.9.
Mageia 6 and Mageia 7 are also affected.
Fixed upstream in 4.9Whiteboard:
Shlomi, I see you updated Mageia 7 to 4.9.1. Cauldron still has 4.7.2, and Mageia 6 also needs an update.
(In reply to David Walser from comment #1)
> Shlomi, I see you updated Mageia 7 to 4.9.1. Cauldron still has 4.7.2, and
> Mageia 6 also needs an update.
Cauldron is now on hg 5.1.
(In reply to Shlomi Fish from comment #2)
> (In reply to David Walser from comment #1)
> > Shlomi, I see you updated Mageia 7 to 4.9.1. Cauldron still has 4.7.2, and
> > Mageia 6 also needs an update.
> > mercurial-4.9.1-1.mga7
> Cauldron is now on hg 5.1.
Are you sure it actually built? Sophie sees a SRPM for 5.1 but only sees 4.7.2 for binary RPMS.
(note to self, Shlomi updated Mageia 6: mercurial-4.9.1-1.mga6 )
Oh I see 5.1 on pkgsubmit. Sophie is slow. Thanks.
MGA7TOO, MGA6TOO =>
Updated mercurial package fixes security vulnerability:
It was discovered that Mercurial mishandled symlinks in subrepositories. An
attacker could use this vulnerability to write arbitrary files to the target’s
Updated packages in core/updates_testing:
Installed and tested without issues.
Tested on several existing and new, remote and local repositories.
Tests included init, clone, pull, push, status, verify, add, commit, summary, etc.
System: Mageia 7, x86_64, Intel CPU.
$ uname -a
Linux marte 5.1.20-desktop-2.mga7 #1 SMP Fri Jul 26 23:04:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q mercurial