| 1 | | Following on from git-2.14.1, mercurial-4.3 and -4.2.3 have both been released. The Download Now link currently points to 4.2.3 but I assume we should go to 4.3. I assume these fix CVE-2017-1000116 but no details are available. |
| | 1 | Following on from git-2.14.1, mercurial-4.3 and -4.2.3 have both been released. The Download Now link currently points to 4.2.3 but I assume we should go to 4.3. From [https://www.mercurial-scm.org/pipermail/mercurial/2017-August/050522.html] |
| | 2 | |
| | 3 | {{{ |
| | 4 | Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*: |
| | 5 | |
| | 6 | CVE-2017-1000115: |
| | 7 | |
| | 8 | Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository. |
| | 9 | |
| | 10 | CVE-2017-1000116: |
| | 11 | |
| | 12 | Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed. All three tools are doing their security release today. |
| | 13 | |
| | 14 | Please update your packaged builds as soon as practical. |
| | 15 | |
| | 16 | Note that since we dropped Python 2.6 and these issues are pretty bad, we did the back port to 4.2.3. We may not do further 4.2 releases, so please plan around Python 2.7 in the near future if you haven't already. |
| | 17 | |
| | 18 | Thanks! |
| | 19 | Augie |
| | 20 | }}} |
