Source: mercurial
Version: 4.8.2-1
Severity: grave
Tags: security
See https://www.mercurial-scm.org/wiki/WhatsNew from 4.9:
This was assigned CVE-2019-3902:
It was possible to use symlinks and subrepositories to defeat Mercurial's
path-checking
logic and write files outside a repository. This has been fixed. Users on older
versions
can either disable subrepositories with [subrepos] allowed=false in their
configuration
or by ensuring any cloned repositories don't contain malicious symlinks.
This is fixed in sid, but buster still has 4.8.2.
Cheers,
Moritz
