Package: mercurial Version: 3.1.2-2+deb8u3 Severity: important Dear Maintainer,
All versions of Mercurial prior to 4.1.3 have a bug in 'hg serve --stdio' which can allow remote users access to the Python debugger, from where they have nearly complete access to the local system. For systems serving Mercurial repositories via ssh, this could allow unauthorized access to the serving account. The release notes for 4.1.3 can be found here: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29 No Debian repository currently ships 4.1.3 or appears to ship any version of Mercurial with this bug patched. -- System Information: Debian Release: 8.7 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages mercurial depends on: ii libc6 2.19-18+deb8u7 ii mercurial-common 3.1.2-2+deb8u3 ii python 2.7.9-1 ii ucf 3.0030 Versions of packages mercurial recommends: ii openssh-client 1:6.7p1-5+deb8u3 Versions of packages mercurial suggests: pn kdiff3 | kdiff3-qt | kompare | meld | tkcvs | mgdiff <none> pn qct <none> -- no debconf information
