Upstream information

CVE-2019-3902 at MITRE

Description

A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.

SUSE information

SUSE Bugzilla entry: 1133035 [NEW]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP1
  • mercurial >= 4.5.2-3.9.44
  • mercurial-lang >= 4.5.2-3.9.44
Patchnames:
SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2020-1709
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP2
  • mercurial >= 4.5.2-3.9.44
  • mercurial-lang >= 4.5.2-3.9.44
Patchnames:
SUSE-SLE-Module-Development-Tools-OBS-15-SP2-2020-1709
SUSE Linux Enterprise Module for Python2 packages 15 SP1
  • mercurial >= 4.5.2-3.9.44
Patchnames:
SUSE-SLE-Module-Python2-15-SP1-2020-1709
SUSE Linux Enterprise Module for Python2 packages 15 SP2
  • mercurial >= 4.5.2-3.9.44
Patchnames:
SUSE-SLE-Module-Python2-15-SP2-2020-1709
SUSE Linux Enterprise Software Development Kit 12 SP5
  • mercurial >= 2.8.2-15.18.4
Patchnames:
SUSE-SLE-SDK-12-SP5-2020-3003
openSUSE Leap 15.1
  • mercurial >= 4.5.2-lp151.6.3.1
  • mercurial-debuginfo >= 4.5.2-lp151.6.3.1
  • mercurial-debugsource >= 4.5.2-lp151.6.3.1
  • mercurial-lang >= 4.5.2-lp151.6.3.1
Patchnames:
openSUSE-2020-869
openSUSE Leap 15.2
  • mercurial >= 4.5.2-lp152.7.3.1
  • mercurial-debuginfo >= 4.5.2-lp152.7.3.1
  • mercurial-debugsource >= 4.5.2-lp152.7.3.1
  • mercurial-lang >= 4.5.2-lp152.7.3.1
Patchnames:
openSUSE-2020-880