From ${URL} : Following commit fixes code injection issue in Mercurial: http://selenic.com/hg/rev/e3f30068d2eb Detailed description of the attack vector is available here: http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
+*mercurial-3.3.2 (24 Mar 2015) + + 24 Mar 2015; Lars Wendler <polynomial-c@gentoo.org> -mercurial-3.2.4.ebuild, + -mercurial-3.3.ebuild, +mercurial-3.3.2.ebuild: + Security bump (bug #544332). Removed old. + The mentioned fix is already in mercurial-3.3.2
(In reply to Lars Wendler (Polynomial-C) from comment #1) > The mentioned fix is already in mercurial-3.3.2 Is this ready to go stable? GLSA vote: NO.
(In reply to Tobias Heinlein from comment #2) > GLSA vote: NO. Actually, no vote required here as it is B2.
Arches, please test and mark stable: =dev-vcs/mercurial-3.3.2 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
amd64 stable
x86 stable
Stable for HPPA.
ppc64 stable
arm stable
CVE-2014-9462 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9462): The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands via a crafted repository name in a clone command.
alpha stable
ia64 stable
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work. Added to an existing GLSA Request. Maintainer(s), please drop the vulnerable version(s).
+ 12 May 2015; Lars Wendler <polynomial-c@gentoo.org> -mercurial-3.2.3.ebuild: + Removed vulnerable version. +
Maintainer(s), Thank you for you for cleanup.
This issue was resolved and addressed in GLSA 201612-19 at https://security.gentoo.org/glsa/201612-19 by GLSA coordinator Aaron Bauman (b-man).
