Bug 34129 - mercurial new security issue CVE-2025-2361
Summary: mercurial new security issue CVE-2025-2361
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-03-24 09:24 CET by Nicolas Salguero
Modified: 2025-03-31 17:54 CEST (History)
4 users (show)

See Also:
Source RPM: mercurial-6.5.1-1.mga9.src.rpm
CVE: CVE-2025-2361
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2025-03-24 09:25:14 CET

CVE: (none) => CVE-2025-2361
Source RPM: (none) => mercurial-6.9.3-1.mga10.src.rpm, mercurial-6.5.1-1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 6.9.4

Comment 2 Nicolas Salguero 2025-03-24 14:58:26 CET 
Debian has issued an advisory on March 22:
https://lists.debian.org/debian-security-announce/2025/msg00045.html
Comment 3 Nicolas Salguero 2025-03-24 15:22:06 CET 
Cauldron fixed with mercurial-6.9.4-1.mga10.

Whiteboard: MGA9TOO => (none)
Source RPM: mercurial-6.9.3-1.mga10.src.rpm, mercurial-6.5.1-1.mga9.src.rpm => mercurial-6.5.1-1.mga9.src.rpm
Version: Cauldron => 9

Comment 4 Lewis Smith 2025-03-24 21:09:41 CET 
ns80 has already put the new version 6.9.4 into Cauldron; it needs doing for Mageia 9.

Assignee: bugsquad => pkg-bugs

Comment 5 Nicolas Salguero 2025-03-28 14:28:51 CET 
Debian has issued an advisory on March 22:
https://lists.debian.org/debian-security-announce/2025/msg00045.html
Comment 6 Nicolas Salguero 2025-03-28 15:43:28 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

Mercurial SCM Web Interface cross site scripting. (CVE-2025-2361)

References:
https://www.openwall.com/lists/oss-security/2025/03/21/2
https://lists.mercurial-scm.org/pipermail/mercurial-packaging/2025-March/000754.html
https://lists.debian.org/debian-security-announce/2025/msg00045.html
========================

Updated package in core/updates_testing:
========================
mercurial-6.5.1-1.1.mga9

from SRPM:
mercurial-6.5.1-1.1.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 6.9.4 => (none)

katnatek 2025-03-28 23:08:43 CET

Keywords: (none) => advisory

Comment 7 Herman Viaene 2025-03-29 14:04:22 CET 
MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 25291 Comment 7 for testing.

$ hg version
Mercurial Distributed SCM (version 6.5.1)
(see https://mercurial-scm.org for more information)

Copyright (C) 2005-2023 Olivia Mackall and others
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
$ cd Documents/
$ mkdir qa
$ mkdir qa/hg
$ cd qa/hg
$ hg init
$ ls -a .hg
./  ../  00changelog.i  cache/  requires  store/  wcache/
$ cd .hg
$ hg clone http://selenic.com/hg mercurial-repo
real URL is https://repo.mercurial-scm.org/hg/
requesting all changes
adding changesets
adding manifests                                                                                                                                             
adding file changes                                                                                                                                          
added 53118 changesets with 106394 changes to 3949 files (+1 heads)                                                                                          
new changesets 9117c6561b0b:40bf6deb95e6
updating to branch default
2331 files updated, 0 files merged, 0 files removed, 0 files unresolved       
$ ls
00changelog.i  cache/  mercurial-repo/  requires  store/  wcache/
$ cd mercurial-repo/
$ ls
contrib/         CONTRIBUTORS  doc/  hgdemandimport/  hgext/     hgweb.cgi*  Makefile     mercurial/      README.rst  rust/         setup.py
CONTRIBUTING.md  COPYING       hg*   hgeditor*        hgext3rd/  i18n/       MANIFEST.in  pyproject.toml  relnotes/   rustfmt.toml  tests/
$ du -hs
119M    .
$ hg sum
parent: 53117:40bf6deb95e6 tip
 rust-annotate: allow --follow
branch: default
commit: (clean)
update: (current)
$ hg add
$ hg parents
changeset:   53117:40bf6deb95e6
tag:         tip
user:        Mitchell Kember <mkember@janestreet.com>
date:        Fri Mar 14 14:01:07 2025 -0400
summary:     rust-annotate: allow --follow

$ hg help
Mercurial Distributed SCM

list of commands:

Repository creation:

 clone         make a copy of an existing repository
 init          create a new repository in the given directory
and more .....
$ hg config --edit
Would let me change a lot if I understood.

All seems OK.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 8 PC LX 2025-03-30 11:47:16 CEST 
Installed and tested without issues.

Tested:
- clone, pull, push commands on remote (ssh) repositories;
- init, add, remove, rename, summary, status, log, etc commands on local repositories;
- verifying all local existing repositories (see command below).

System: Mageia 9, x86_64, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu proprietary driver.



$ uname -a
Linux jupiter 6.6.83-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sun Mar 16 01:09:35 UTC 2025 x86_64 GNU/Linux
$ rpm -q mercurial
mercurial-6.5.1-1.1.mga9
$ find -type d -ipath '*/.hg' | wc -l
23
$ P="$(pwd)" ; \
  for U in $(find -type d -ipath '*/.hg') ; do \
    cd "$U/../" ; \
    echo "REPO: $(pwd)" ; \
    hg -q verify ; \
    cd "$P" ; \
  done
<SNIP all repositories verified OK>

CC: (none) => mageia

Comment 9 Thomas Andrews 2025-03-30 20:32:34 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 10 Mageia Robot 2025-03-31 17:54:50 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0120.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.