#9600: mercurial-4.3
-------------------------+-----------------------
 Reporter:  ken@…        |       Owner:  ken@…
     Type:  enhancement  |      Status:  assigned
 Priority:  high         |   Milestone:  8.1
Component:  BOOK         |     Version:  SVN
 Severity:  normal       |  Resolution:
 Keywords:               |
-------------------------+-----------------------
Description changed by ken@…:

Old description:

> Following on from git-2.14.1, mercurial-4.3 and -4.2.3 have both been
> released. The Download Now link currently points to 4.2.3 but I assume we
> should go to 4.3. I assume these fix CVE-2017-1000116 but no details are
> available.

New description:

 Following on from git-2.14.1, mercurial-4.3 and -4.2.3 have both been
 released. The Download Now link currently points to 4.2.3 but I assume we
 should go to 4.3. From [https://www.mercurial-
 scm.org/pipermail/mercurial/2017-August/050522.html]

 {{{
 Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch
 *immedately*:

 CVE-2017-1000115:

 Mercurial's symlink auditing was incomplete prior to 4.3, and could be
 abused to write to files outside the repository.

 CVE-2017-1000116:

 Mercurial was not sanitizing hostnames passed to ssh, allowing shell
 injection attacks by specifying a hostname starting with -oProxyCommand.
 This is also present in Git (CVE-2017-1000117) and Subversion
 (CVE-2017-9800), so please patch those tools as well if you have them
 installed. All three tools are doing their security release today.

 Please update your packaged builds as soon as practical.

 Note that since we dropped Python 2.6 and these issues are pretty bad, we
 did the back port to 4.2.3. We may not do further 4.2 releases, so please
 plan around Python 2.7 in the near future if you haven't already.

 Thanks!
 Augie
 }}}

--

--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/9600#comment:2>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to