Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.1270 mercurial security update 12 May 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mercurial Publisher: Debian Operating System: Debian GNU/Linux 8 Debian GNU/Linux 7 Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-9462 CVE-2014-9390 Reference: ASB-2014.0144 ESB-2015.0552 ESB-2015.0140 Original Bulletin: http://www.debian.org/security/2015/dsa-3257 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running mercurial check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3257-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 11, 2015 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : mercurial CVE ID : CVE-2014-9462 Debian Bug : 783237 Jesse Hertz of Matasano Security discovered that Mercurial, a distributed version control system, is prone to a command injection vulnerability via a crafted repository name in a clone command. For the oldstable distribution (wheezy), this problem has been fixed in version 2.2.2-4+deb7u1. This update also includes a fix for CVE-2014-9390 previously scheduled for the next wheezy point release. For the stable distribution (jessie), this problem has been fixed in version 3.1.2-2+deb8u1. For the unstable distribution (sid), this problem has been fixed in version 3.4-1. We recommend that you upgrade your mercurial packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVUQtdAAoJEAVMuPMTQ89EQDcP/2qNgRl1fhhTTuzQUpTSutuF 8tauTnYT3xuu3PB6aXDWEqFTmmKxUQQiOyVxTWeqeF7jWs7Wu0naTBrs+tKvC4b2 lxy8AC5asTNmPdxUeJMqsUonHvkFEBqGQnomhOwb/qB2oEMgO3vGCrrEs7IFGZ9r Z+yi91ZbnzMXrH1t2cAGYRmilhquhLg0OEp4hjFhiEZor9GS+Ejdb+g2r/Ug5YFx bQUsMwJ8ww5r8WjFkTybwAT9iORR2uD6QyyzT11w/F9nXmCZEcurCN+xJKtkyTLW 7ImSrFuhcUbCYSSf9JYiY69SeojBXFkGD8maxjZG8avqzEiKqmxIODUVEn4qO5HD bSBS/aG6oHD9Sw4pGAtrR2WlOucPf4UOnBxB2ztYrLgMrSE9uMBdceMK8ts2hIrP e8AojdicvaJZ2q0BBWCo8BSsWpwwN4bgDnWj3d6r63cWWQM/6b6ZSA2NlQsAs0V1 oIVCpiUWZImc8I6GKpp3cQM69ECIIgH2+tr7gimsUlTzObP3heGqEqjrA60KAAdl pe6vZClklSyhF1lOqW/p2SSLDcNWZ/ht/0bP223an1yXzwbVi8t/qRXGfggHi+cr QXEhw2LSRBhQ+894iznWPXHmBdYqKu+hC/yMD+D0B5W64PSRtDxjfMoJi562pNWZ zifFdMx9P3uOVEHG+d+V =jXXY - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVVFANhLndAQH1ShLAQIXow//WIcANfoHj7WvAyFeurrqMoL/g3meDAXA MkmelOlJnCqjdqTPwoiFxFJGBnTbttU3By2SuWHiiLIb6S+/pNHTdzQ1/9GR9SC9 ytQWTiTrlFbKDSYgBC8H1meefZ9u7PB1U6kmPvEALnJV/aKx0soDPiP3BXcHGqQO pQWsHHEeByLHhdv0xy2aC6ft+xrUDceqF60PZxdVVEt8Mb58r+LB5dJsUO2p/lTN j4hxBIAsngaX7aGe+P7Qzd+u8P7r/WRRXys7mnoK4yeMx4deMUEOTCg3g2ApUYx+ 2Z8sG0SOPGmQl2IHwEs1nsdIEEvhJBtDW5tQP/eb2bE3uNWLGGNtIbEENR4RAZmv sfXmfX59daCqBVlhdXsB1Ec1qVMXLW/8l1Nhrf2aa7R9WemuYK8a0CgaIWVRc+rU UNPqE8gr3RQTaRB1cl9XzzDvqKmVbtRA6qaY1eCoFTd7DjiPAMxh8Qp2GipqSYs1 HSFy1irGleegmAq2BdCG3potYIOJWzkROX/boGa1ZiCtxM9Oarj0JT2/nKDAiye5 w2/9u34Me8arxw+5jvE/+xAhRqFOUrx5BAFHrOjv9dBS+Zon/mows7Uy8xtdnuUC xyw/l8eRdXvvLW4ZGCKWqIOKQcadpLbi81yE6ihwTj24d18Q5Wg5+OGhB38PPdr8 pa1OltKPBqI= =qrsu -----END PGP SIGNATURE-----