Mercurial 4.3 and 4.2.3 released
Boris Feld
boris.feld at octobus.net
Fri Aug 11 06:13:27 EDT 2017
On Thu, 2017-08-10 at 14:09 -0400, Augie Fackler wrote:
> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch
> *immedately*:
>
> CVE-2017-1000115:
>
> Mercurial's symlink auditing was incomplete prior to 4.3, and could
> be abused to write to files outside the repository.
>
> CVE-2017-1000116:
>
> Mercurial was not sanitizing hostnames passed to ssh, allowing shell
> injection attacks by specifying a hostname starting with
> -oProxyCommand. This is also present in Git (CVE-2017-1000117) and
> Subversion (CVE-2017-9800), so please patch those tools as well if
> you have them installed. All three tools are doing their security
> release today.
>
> Please update your packaged builds as soon as practical.
>
> Note that since we dropped Python 2.6 and these issues are pretty
> bad, we did the back port to 4.2.3. We may not do further 4.2
> releases, so please plan around Python 2.7 in the near future if you
> haven't already.
>
> Thanks!
> Augie
Thank you Augie for the release and thank you Yuja, Sean and Jun for
the security fixes!
We had to backport the patches for Mercurial 4.1.3 for some customers.
We made them available in case someone else needs them:
https://bitbucket.org/octobus/mercurial-backport/branch/backport-4.
1.
Sincerely,
Boris Feld
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at mercurial-scm.org
> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
More information about the Mercurial
mailing list