Mercurial 4.3 and 4.2.3 released

Dr Rainer Woitok rainer.woitok at gmail.com
Fri Aug 11 09:10:36 UTC 2017


Augie,

On Thursday, 2017-08-10 14:11:52 -0400, you wrote:

> ...
> > CVE-2017-1000115:
> > 
> > Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.

What precisely does that mean?  Is it no longer possible to have a vers-
ion controlled  symbolic link somewhere  in the working directory  which
points to some place  outside the Mercurial repository?   Some of my re-
positories heavily depend on this :-(

I searched the web for "CVE-2017-1000115",  but found neither a detailed
description of the problem nor of the solution.

Anybody caring to shed some light on this?

Sincerely,
  Rainer



More information about the Mercurial mailing list