CVE-2014-9462

Publication date 31 March 2015

Last updated 24 July 2024

Ubuntu priority

The _validaterepo function in sshpeer in Mercurial before 3.2.4 allows remote attackers to execute arbitrary commands via a crafted repository name in a clone command.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
mercurial	15.04 vivid	Fixed 3.1.2-2+deb8u1build0.15.04.2
	14.10 utopic	Fixed 3.1.1-1ubuntu0.2
	14.04 LTS trusty	Fixed 2.8.2-1ubuntu1.3
	12.04 LTS precise	Fixed 2.0.2-1ubuntu1.2
	10.04 LTS lucid	Ignored

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

http://chargen.matasano.com/chargen/2015/3/17/this-new-vulnerability-mercurial-command-injection-cve-2014-9462.html
http://selenic.com/hg/rev/e3f30068d2eb
https://www.cve.org/CVERecord?id=CVE-2014-9462