A mercurial update has been released for Debian 6 LTS
Package : mercurial
Version : 1.6.4-1+deb6u1
CVE ID : CVE-2014-9390 CVE-2014-9462
CVE-2014-9462
Jesse Hertz of Matasano Security discovered that Mercurial, a
distributed version control system, is prone to a command injection
vulnerability via a crafted repository name in a clone command.
CVE-2014-9390
is a security vulnerability that affects mercurial repositories in a
case-insensitive filesystem (eg. VFAT or HFS+). It allows for remote
code execution of a specially crafted repository. This is less
severe for the average Debian installation as they are usually set
up with case-sensitive filesystems.