CVE-2017-1000115:
Mercurial's symlink auditing was incomplete prior to 4.3, and could be
abused to write to files outside the repository.
CVE-2017-1000116:
Mercurial was not sanitizing hostnames passed to ssh, allowing shell
injection attacks by specifying a hostname starting with -oProxyCommand.
Currently we have:
hg thg
f25 3.8.1 3.8.3(f24)
f26 4.2 4.2.1
Mercurial upstream has provided fixed versions 4.3 and 4.2.3.
I propose that for f26 we update hg to 4.2.3, and together with thg 4.2.3
(currently latest is 4.2.2)
I propose for f25 to similarly update hg and thg to 4.2.3
Another package that requires mercurial and may be affected is hg-git.
Thoughts?
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
