Package : mercurial
Version : 1.6.4-1+deb6u1
CVE ID : CVE-2014-9390 CVE-2014-9462

CVE-2014-9462

Jesse Hertz of Matasano Security discovered that Mercurial, a
distributed version control system, is prone to a command injection
vulnerability via a crafted repository name in a clone command.

CVE-2014-9390

is a security vulnerability that affects mercurial repositories in a
case-insensitive filesystem (eg. VFAT or HFS+). It allows for remote
code execution of a specially crafted repository. This is less
severe for the average Debian installation as they are usually set
up with case-sensitive filesystems.