| From: |
| Augie Fackler <raf-AT-durin42.com> |
| To: |
| mercurial-packaging-AT-mercurial-scm.org, mercurial-devel <mercurial-devel-AT-mercurial-scm.org>, Mercurial <mercurial-AT-mercurial-scm.org> |
| Subject: |
| Mercurial 4.3 and 4.2.3 released |
| Date: |
| Thu, 10 Aug 2017 14:09:39 -0400 |
| Message-ID: |
| <5FCA47F5-9374-486F-866D-CF13B18D2050@durin42.com> |
Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*:
CVE-2017-1000115:
Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files
outside the repository.
CVE-2017-1000116:
Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by
specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117)
and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed. All
three tools are doing their security release today.
Please update your packaged builds as soon as practical.
Note that since we dropped Python 2.6 and these issues are pretty bad, we did the back port to
4.2.3. We may not do further 4.2 releases, so please plan around Python 2.7 in the near future if
you haven't already.
Thanks!
Augie
_______________________________________________
Mercurial mailing list
Mercurial@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial
