Mecurial is vulnerable to remote code execution (RCE). The hg serve --stdio
command allows a malicious user to launch the python debugger to execute arbitrary python code by using --debugger
as the target repository.
CPE | Name | Operator | Version |
---|---|---|---|
mercurial | eq | 1.4__4.el6 | |
mercurial | eq | 1.4__3.el6 |
www.debian.org/security/2017/dsa-3963
www.securityfocus.com/bid/99123
access.redhat.com/errata/RHSA-2017:1576
access.redhat.com/security/updates/classification/#important
bugs.debian.org/861243
lists.debian.org/debian-lts-announce/2018/07/msg00005.html
security.gentoo.org/glsa/201709-18
www.mercurial-scm.org/repo/hg/rev/77eaf9539499
www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29