This is somewhat of a specific attack vector, and I'm not sure to what extent it is wildly deployed, but we likely want to stabilize >=4.1.3. Anyways useful for tracking purposes: From debian bug: Dear Maintainer, All versions of Mercurial prior to 4.1.3 have a bug in 'hg serve --stdio' which can allow remote users access to the Python debugger, from where they have nearly complete access to the local system. For systems serving Mercurial repositories via ssh, this could allow unauthorized access to the serving account. Some details in commit in $URL
Filed bug 621280 earlier, let's use that?
(In reply to Dirkjan Ochtman from comment #1) > Filed bug 621280 earlier, let's use that? No problem using that for stabilization; updated this bug to reflect it
(In reply to Dirkjan Ochtman from comment #1) > Filed bug 621280 earlier, let's use that? In general this isn't a problem. But sometimes overloaded arch teams will ignore non-security stabilization requests. I assigned the bug to security@, let's see if this will work.
*** Bug 624726 has been marked as a duplicate of this bug. ***
@ Arches, please continue stabilization of =dev-vcs/mercurial-4.2!
arm stable
GLSA Request filed. Cleanup from versions prior to 4.3 will occur in bug 627484. Gentoo Security Padawan ChrisADR
This issue was resolved and addressed in GLSA 201709-18 at https://security.gentoo.org/glsa/201709-18 by GLSA coordinator Aaron Bauman (b-man).