Mercurial 4.3 and 4.2.3 released

Augie Fackler raf at durin42.com
Thu Aug 10 14:11:52 EDT 2017


> On Aug 10, 2017, at 14:09, Augie Fackler <raf at durin42.com> wrote:
> 
> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*:

Update: the release script misfired and 4.2.3 is wrong - I'll fix it shortly.

> 
> CVE-2017-1000115:
> 
> Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.
> 
> CVE-2017-1000116:
> 
> Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed. All three tools are doing their security release today.
> 
> Please update your packaged builds as soon as practical.
> 
> Note that since we dropped Python 2.6 and these issues are pretty bad, we did the back port to 4.2.3. We may not do further 4.2 releases, so please plan around Python 2.7 in the near future if you haven't already.
> 
> Thanks!
> Augie

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://www.mercurial-scm.org/pipermail/mercurial/attachments/20170810/3ddb72ee/attachment.sig>


More information about the Mercurial mailing list