Mercurial 4.3 and 4.2.3 released

Sean Farley sean at farley.io
Fri Aug 11 21:07:49 UTC 2017


Boris Feld <boris.feld at octobus.net> writes:

> On Thu, 2017-08-10 at 14:09 -0400, Augie Fackler wrote:
>> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch
>> *immedately*:
>> 
>> CVE-2017-1000115:
>> 
>> Mercurial's symlink auditing was incomplete prior to 4.3, and could
>> be abused to write to files outside the repository.
>> 
>> CVE-2017-1000116:
>> 
>> Mercurial was not sanitizing hostnames passed to ssh, allowing shell
>> injection attacks by specifying a hostname starting with
>> -oProxyCommand. This is also present in Git (CVE-2017-1000117) and
>> Subversion (CVE-2017-9800), so please patch those tools as well if
>> you have them installed. All three tools are doing their security
>> release today.
>> 
>> Please update your packaged builds as soon as practical.
>> 
>> Note that since we dropped Python 2.6 and these issues are pretty
>> bad, we did the back port to 4.2.3. We may not do further 4.2
>> releases, so please plan around Python 2.7 in the near future if you
>> haven't already.
>> 
>> Thanks!
>> Augie
>
> Thank you Augie for the release and thank you Yuja, Sean and Jun for
> the security fixes!
>
> We had to backport the patches for Mercurial 4.1.3 for some customers.
>
> We made them available in case someone else needs them:
>
> https://bitbucket.org/octobus/mercurial-backport/branch/backport-4.
> 1.

In what turned out to be a nightmare for me, I too, have backported
these fixes to 3.7.3:

https://bitbucket.org/atlassian/mercurial/commits/branch/sec-3.7

I viewed this as an exercise and in no way promise to backport future
things.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
URL: <http://lists.mercurial-scm.org/pipermail/mercurial/attachments/20170811/1eb95e23/attachment.asc>


More information about the Mercurial mailing list