CVE-2017-18026

Priority
Description
Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not
block the --config and --debugger flags to the Mercurial hg program, which
allows remote attackers to execute arbitrary commands (through the
Mercurial adapter) via vectors involving a branch whose name begins with a
--config= or --debugger= substring, a related issue to CVE-2017-17536.
Notes
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needed)
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (3.4.4-1)
Ubuntu 19.04 (Disco Dingo):not-affected (3.4.4-1)
Ubuntu 19.10 (Eoan):not-affected (3.4.4-1)
More Information

Updated: 2019-10-18 02:32:35 UTC (commit cccfc4426d8c1fbf582a89d981fe7fc812124543)