mercurial-4.3

[ken@…]

Following on from git-2.14.1, mercurial-4.3 and -4.2.3 have both been released. The Download Now link currently points to 4.2.3 but I assume we should go to 4.3. From ​https://www.mercurial-scm.org/pipermail/mercurial/2017-August/050522.html

Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*:

CVE-2017-1000115:

Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.

CVE-2017-1000116:

Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed. All three tools are doing their security release today.

Please update your packaged builds as soon as practical.

Note that since we dropped Python 2.6 and these issues are pretty bad, we did the back port to 4.2.3. We may not do further 4.2 releases, so please plan around Python 2.7 in the near future if you haven't already.

Thanks!
Augie

[ken@…]

On my most recent build, two tests fail - both are described as test-cases.t and the output is almost unparseable (lots of short chunks followed by ' # Ran x tests, y skipped, z failed'. The failing tests did create a .t.err file, in this case test-cases.t.a.err and find found that in child8/ along with test-run-tests.t.sh.

No idea why, and it all sailed through with -j8 on a more powerful but slightly older system.

[ken@…]

So now that I come to edit the page, I see loads of instructions commented out. Too late.

[ken@…]

Fixed in r19007.