> On Aug 10, 2017, at 14:09, Augie Fackler <r...@durin42.com> wrote:
> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*:

Update: the release script misfired and 4.2.3 is wrong - I'll fix it shortly.

> CVE-2017-1000115:
> Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused 
> to write to files outside the repository.
> CVE-2017-1000116:
> Mercurial was not sanitizing hostnames passed to ssh, allowing shell 
> injection attacks by specifying a hostname starting with -oProxyCommand. This 
> is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so 
> please patch those tools as well if you have them installed. All three tools 
> are doing their security release today.
> Please update your packaged builds as soon as practical.
> Note that since we dropped Python 2.6 and these issues are pretty bad, we did 
> the back port to 4.2.3. We may not do further 4.2 releases, so please plan 
> around Python 2.7 in the near future if you haven't already.
> Thanks!
> Augie

Attachment: signature.asc
Description: Message signed with OpenPGP

Mercurial-devel mailing list

Reply via email to