[Bug 4539] New: Security Vulnerabilities identified in CheckMarx Scan

mercurial-bugs at selenic.com mercurial-bugs at selenic.com
Tue Feb 17 00:16:53 CST 2015


          Priority: normal
            Bug ID: 4539
                CC: mercurial-devel at selenic.com
          Assignee: bugzilla at selenic.com
           Summary: Security Vulnerabilities identified in CheckMarx Scan
          Severity: bug
    Classification: Unclassified
                OS: Windows
          Reporter: philip.w.mcadams at intel.com
          Hardware: PC
            Status: UNCONFIRMED
           Version: 2.8.2
         Component: Mercurial
           Product: Mercurial

Our internal IT security team scanned Mercurial source code in CheckMarx and
discovered these following vulnerabilities: Privacy Violation, Path Traversal,
Insecure Randomness, Client Cross Fame Scripting Attack, Command Injection.

The most vulnerables files identified were: test=hgweb-auth.py, comvcmd.py,
synthrepo.py, run-tests.py, lsprof.py. We are working with the IT team on next
steps and wanted to provide this general information in your bug tracker.  I'm
able to provide you the actual report due to IP. If there are any specific
questions about the report and I work to provide you the requested information.

You are receiving this mail because:
You are on the CC list for the bug.

More information about the Mercurial-devel mailing list