Mercurial 4.3 and 4.2.3 released
Dr Rainer Woitok
rainer.woitok at gmail.com
Fri Aug 11 09:10:36 UTC 2017
Augie,
On Thursday, 2017-08-10 14:11:52 -0400, you wrote:
> ...
> > CVE-2017-1000115:
> >
> > Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.
What precisely does that mean? Is it no longer possible to have a vers-
ion controlled symbolic link somewhere in the working directory which
points to some place outside the Mercurial repository? Some of my re-
positories heavily depend on this :-(
I searched the web for "CVE-2017-1000115", but found neither a detailed
description of the problem nor of the solution.
Anybody caring to shed some light on this?
Sincerely,
Rainer
More information about the Mercurial
mailing list