Mercurial 4.5.2 tagged

Juan Francisco Cantero Hurtado iam at juanfra.info
Wed Mar 7 11:30:24 UTC 2018


On Tue, Mar 06, 2018 at 02:39:47PM -0800, Gregory Szorc wrote:
> On Tue, Mar 6, 2018 at 11:51 AM, Kevin Bullock <kbullock at ringworld.org>
> wrote:
> 
> > Please update your package builds, thanks.
> >
> > Multiple security vulnerabilities in Mercurial's HTTP wire protocol
> > interface were fixed in this release:
> >
> > * Not all commands would deny access if the repository was configured to
> > not allow read access.
> >
> > * The "batch" command did not check permissions of sub-commands, thus
> > allowing permissions bypass to access and modify some repository data.
> > Servers could have their bookmarks, phases, and obsolescence markers
> > updated by any client that was able to trigger server processing of the
> > "batch" command.
> >
> > Note that the tag and signature are only in hg-committed right now -- this
> > is due to a known bug in our new patch acceptance process and will be fixed
> > at some point. The tag and signature should land in main within the next
> > hour or two.
> >
> 
> https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29
> contains a more detailed write-up of the security issues. It also links to
> backports of the security patches to 4.4 and 4.3. Those backports weren't
> explicitly reviewed through Mercurial's normal review mechanism. But I
> authored the reviewed security fixes for 4.5 and the backports. So
> hopefully there isn't a trust issue in play. Mozilla is currently running
> the 4.4 backports in production on hg.mozilla.org and I can vouch that they
> appear to work just as well as the official patches on 4.5.2.

Thanks for the backports. Greatly appreciated.


-- 
Juan Francisco Cantero Hurtado http://juanfra.info



More information about the Mercurial-packaging mailing list