Mercurial 4.5.2 tagged
Gregory Szorc
gregory.szorc at gmail.com
Tue Mar 6 22:39:47 UTC 2018
On Tue, Mar 6, 2018 at 11:51 AM, Kevin Bullock <kbullock at ringworld.org>
wrote:
> Please update your package builds, thanks.
>
> Multiple security vulnerabilities in Mercurial's HTTP wire protocol
> interface were fixed in this release:
>
> * Not all commands would deny access if the repository was configured to
> not allow read access.
>
> * The "batch" command did not check permissions of sub-commands, thus
> allowing permissions bypass to access and modify some repository data.
> Servers could have their bookmarks, phases, and obsolescence markers
> updated by any client that was able to trigger server processing of the
> "batch" command.
>
> Note that the tag and signature are only in hg-committed right now -- this
> is due to a known bug in our new patch acceptance process and will be fixed
> at some point. The tag and signature should land in main within the next
> hour or two.
>
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29
contains a more detailed write-up of the security issues. It also links to
backports of the security patches to 4.4 and 4.3. Those backports weren't
explicitly reviewed through Mercurial's normal review mechanism. But I
authored the reviewed security fixes for 4.5 and the backports. So
hopefully there isn't a trust issue in play. Mozilla is currently running
the 4.4 backports in production on hg.mozilla.org and I can vouch that they
appear to work just as well as the official patches on 4.5.2.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mercurial-scm.org/pipermail/mercurial-packaging/attachments/20180306/8d1c41ea/attachment-0002.html>
More information about the Mercurial-packaging
mailing list