On Thu, Aug 10, 2017 at 12:10 PM, Gregory Szorc <g...@mozilla.com> wrote:
> Git, Mercurial, and Subversion just had a coordinated release to mitigate > a security vulnerability regarding the parsing of ssh:// URLs. Essentially, > well-crafted ssh:// URLs (e.g. in a subrepo, submodule, or svn:externals > references) could lead to local code execution. If you run a command like > `git clone --recurse-submodules` or `hg pull --update` and nefarious data > is received, you could be p0wned. > > This is tracked in at least CVE-2017-1000116 and CVE-2017-1000117. > > In addition, Mercurial issued a security fix for symlink handling that > could result in arbitrary filesystem write (attempts) for well-crafted > symlinks. This is CVE-2017-1000115. > > You should upgrade your version control clients ASAP to eliminate exposure > to these bugs. Until you do, be extra cognizant where you pull from - > especially any operation related to subrepos/submodules. > > As of today, hg.mozilla.org is now configured to not allow subrepos and > symlinks on non-user repos. The main Firefox repos have been audited and no > "bad" data is present. So, the canonical Firefox repos cannot be used as a > delivery vehicle for these exploits. I anticipate popular hosting services > like GitHub and Bitbucket will take similar actions and make similar > announcements. > > Critical version control infrastructure like hg.mozilla.org and Autoland > has been patched for several days courtesy of responsible early disclosure > of the vulnerabilities and fixes from the Mercurial Project. > > Announcements: > > hg: https://www.mercurial-scm.org/pipermail/mercurial/2017- > August/050522.html > git: http://marc.info/?l=git&m=150238802328673&w=2 > svn: http://mail-archives.apache.org/mod_mbox/subversion- > announce/201708.mbox/%3C2fefe468-7d41-11e7-aea1- > 9312c6089150%40apache.org%3E > > Following up... The Mozilla tracking bugs for these security releases are: Mercurial: 1385978 Git: 1386035 Subversion: 1386038 (Note: only the Mercurial one is currently public) There were some failures in Mercurial's release process yesterday. Mercurial 4.3.1 was released shortly after 4.3 because 4.3 didn't include the security fixes. If you upgraded to 4.3 yesterday, please run `hg version` and make sure you are on 4.3.1 and upgrade if not. Also, PyPI isn't hosting a tar.gz for Mercurial 4.2.3 because of a mix-up involving uploading of that file and PyPI's inability to replace a file once uploaded. If you need to `pip install Mercurial` from source (any platform not Windows - which should pick up the binary Python wheel packages from PyPI), you can add a `--find-links https://www.mercurial-scm.org/release/` to `pip install` or a pip requirements file and it will find the tar.gz from Mercurial's official hosting location. The SHA-256 for pip requirements pinning (which you should almost always use) is 04908fc7d89e5810edf3d2762f5aecce5b5c0cb8534f3dbff7d0d848d11ff7ac. (GPG signature available at aforementioned URL if you want to verify.) There's also one known regression in 4.3.1 that impacts old Python 2.7 releases. If you get an error mentioning "branchmap.py" and "bytearray", this will be fixed in 4.3.2. It isn't clear if 4.3.2 will be released before the next scheduled minor release on September 1. If you've been impacted by the Try/pushlog outages recently, it is fallout from this. We had to shotgun upgrade all important infrastructure to Mercurial 4.2 last week to prepare for this release. My perception is the upgrade problems aren't worthy of running a custom Mercurial 4.1 build (which would be a hassle). So we've been working through the problems as they arise (with the assumption that issues are infrequent, easily correctable, and will be addressed soon). Hopefully the recent high stability of hg.mozilla.org relative to where it was 5 years ago has built up enough karma that a few days of instability is tolerable. But I do apologize if this has caused any inconvenience: I hate being blocked on getting things done as much as you do. I hope to have upgrade fallout bugs sorted out by next week. Bug 1359641 tracks everything related to the 4.2 upgrade. Finally, little has landed to prepare things like version-control-tools extensions for Mercurial 4.3. That is normally something I do the week or two before a major release. But the security fire drill preempted that work. If you find random bugs with our custom extensions with 4.3, that's probably why. If you want to help, ping me (gps) in #vcs on IRC. It would be particularly useful to find a champion to keep the `mach bootstrap` Mercurial functionality up to date. Anyway, track 4.3 things against bug 1389562. Sorry for the wall of text and the disruptions. It has been a very chaotic ~2 weeks to prepare and handle this security event. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform