CVE-2017-1000115: Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository. CVE-2017-1000116: Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed. All three tools are doing their security release today. Lars, since I was available and am an ex-Mercurial maintainer, I figured I could bump this for you real quick -- hope you don't mind.
Version bump to 4.3 pushed. commit 0a16ae3418799bb39ce9cc3f5bee848803e3e06a (HEAD -> master, origin/master, origin/HEAD) Author: Dirkjan Ochtman <djc@gentoo.org> Date: Thu Aug 10 21:57:21 2017 +0200 dev-vcs/mercurial: version bump 4.3 with security issues (bug 627484) Package-Manager: Portage-2.3.6, Repoman-2.3.1
ia64 stable
alpha stable
ppc/ppc64 stable
amd64/x86 stable
arm stable
stable for hppa (thanks to Dakon)
sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
New GLSA request filed. @Maintainer please proceed to clean the tree, it is your call to decide if sparc is dropped when removing affected versions. Gentoo Security Padawan ChrisADR
This issue was resolved and addressed in GLSA 201709-18 at https://security.gentoo.org/glsa/201709-18 by GLSA coordinator Aaron Bauman (b-man).
re-opened for cleanup
sparc stable (thanks to Rolf Eike Beer)
Thank you all. @Maintainer please clean up the tree. Gentoo Security Padawan ChrisADR
Tree is clean. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=232a60dfb4321c0c59bb55a6421d5f908cea1919