Mercurial 4.3 and 4.2.3 released
Augie Fackler
raf at durin42.com
Thu Aug 10 22:53:47 UTC 2017
> On Aug 10, 2017, at 14:25, Augie Fackler <raf at durin42.com> wrote:
>
>
>> On Aug 10, 2017, at 14:11, Augie Fackler <raf at durin42.com <mailto:raf at durin42.com>> wrote:
>>
>>
>>> On Aug 10, 2017, at 14:09, Augie Fackler <raf at durin42.com <mailto:raf at durin42.com>> wrote:
>>>
>>> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*:
>>
>> Update: the release script misfired and 4.2.3 is wrong - I'll fix it shortly.
>
> 4.2.3 is now correctly available from mercurial-scm.org <http://mercurial-scm.org/> and has a tag in mercurial-scm.org/repo/hg-committed <http://mercurial-scm.org/repo/hg-committed>.
>
> I can't (sadly) upload it to pypi, please let me know if that's a major concern for you.
The betrayal of the release scripts continues: 4.3 didn't include the security patches correctly.
So there's now a 4.3.1 with the patches.
(I'll do a mini-postmortem on this later, not to worry.)
>
>>
>>>
>>> CVE-2017-1000115:
>>>
>>> Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.
>>>
>>> CVE-2017-1000116:
>>>
>>> Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed. All three tools are doing their security release today.
>>>
>>> Please update your packaged builds as soon as practical.
>>>
>>> Note that since we dropped Python 2.6 and these issues are pretty bad, we did the back port to 4.2.3. We may not do further 4.2 releases, so please plan around Python 2.7 in the near future if you haven't already.
>>>
>>> Thanks!
>>> Augie
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mercurial-scm.org/pipermail/mercurial/attachments/20170810/74ca3477/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.mercurial-scm.org/pipermail/mercurial/attachments/20170810/74ca3477/attachment.asc>
More information about the Mercurial
mailing list