From $URL Confidentiality Impact Complete (There is total information disclosure, resulting in all system files being revealed.) Integrity Impact Complete (There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised.) Availability Impact Complete (There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable.) Access Complexity Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. ) Authentication Single system (The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface).) Gained Access Admin Vulnerability Type(s) Execute Code References: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29 https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499 https://bugs.debian.org/861243 http://www.securityfocus.com/bid/99123
Thanks Polynomial-c for bumping the next version, hppa stills in 3.8.4. Could you please let us know if the bug affects that version, if not we could move on to the GLSA. Thanks
*** This bug has been marked as a duplicate of bug 621068 ***