Summary: | <dev-vcs/mercurial-4.5.2: arbitrary command execution in mercurial repo with a git submodule | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | glsamaker, polynomial-c |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1509868 | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: |
dev-vcs/mercurial-4.5.2
|
Runtime testing required: | No |
Description
Agostino Sarubbo
2017-11-06 16:38:39 UTC
*** Bug 640560 has been marked as a duplicate of this bug. *** Mitigation is to disable sub-repos and only clone trusted repos which would be considered hardening. Mercurial has made this a default option accordingly for their users and the fix is present in 4.5.2 (older versions not checked). Thus, the bug has been downgraded to B4. GLSA Vote: No @hppa, please stabilize. hppa stable Cleanup will be in bug 649872 |