Mercurial 4.3 and 4.2.3 released

Boris Feld boris.feld at octobus.net
Fri Aug 11 10:13:27 UTC 2017


On Thu, 2017-08-10 at 14:09 -0400, Augie Fackler wrote:
> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch
> *immedately*:
> 
> CVE-2017-1000115:
> 
> Mercurial's symlink auditing was incomplete prior to 4.3, and could
> be abused to write to files outside the repository.
> 
> CVE-2017-1000116:
> 
> Mercurial was not sanitizing hostnames passed to ssh, allowing shell
> injection attacks by specifying a hostname starting with
> -oProxyCommand. This is also present in Git (CVE-2017-1000117) and
> Subversion (CVE-2017-9800), so please patch those tools as well if
> you have them installed. All three tools are doing their security
> release today.
> 
> Please update your packaged builds as soon as practical.
> 
> Note that since we dropped Python 2.6 and these issues are pretty
> bad, we did the back port to 4.2.3. We may not do further 4.2
> releases, so please plan around Python 2.7 in the near future if you
> haven't already.
> 
> Thanks!
> Augie

Thank you Augie for the release and thank you Yuja, Sean and Jun for
the security fixes!

We had to backport the patches for Mercurial 4.1.3 for some customers.

We made them available in case someone else needs them:
    
    https://bitbucket.org/octobus/mercurial-backport/branch/backport-4.
1.

Sincerely,
Boris Feld

> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at mercurial-scm.org
> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel



More information about the Mercurial-packaging mailing list