> On Aug 10, 2017, at 14:25, Augie Fackler <r...@durin42.com> wrote: > > >> On Aug 10, 2017, at 14:11, Augie Fackler <r...@durin42.com >> <mailto:r...@durin42.com>> wrote: >> >> >>> On Aug 10, 2017, at 14:09, Augie Fackler <r...@durin42.com >>> <mailto:r...@durin42.com>> wrote: >>> >>> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*: >> >> Update: the release script misfired and 4.2.3 is wrong - I'll fix it shortly. > > 4.2.3 is now correctly available from mercurial-scm.org > <http://mercurial-scm.org/> and has a tag in > mercurial-scm.org/repo/hg-committed > <http://mercurial-scm.org/repo/hg-committed>. > > I can't (sadly) upload it to pypi, please let me know if that's a major > concern for you.
The betrayal of the release scripts continues: 4.3 didn't include the security patches correctly. So there's now a 4.3.1 with the patches. (I'll do a mini-postmortem on this later, not to worry.) > >> >>> >>> CVE-2017-1000115: >>> >>> Mercurial's symlink auditing was incomplete prior to 4.3, and could be >>> abused to write to files outside the repository. >>> >>> CVE-2017-1000116: >>> >>> Mercurial was not sanitizing hostnames passed to ssh, allowing shell >>> injection attacks by specifying a hostname starting with -oProxyCommand. >>> This is also present in Git (CVE-2017-1000117) and Subversion >>> (CVE-2017-9800), so please patch those tools as well if you have them >>> installed. All three tools are doing their security release today. >>> >>> Please update your packaged builds as soon as practical. >>> >>> Note that since we dropped Python 2.6 and these issues are pretty bad, we >>> did the back port to 4.2.3. We may not do further 4.2 releases, so please >>> plan around Python 2.7 in the near future if you haven't already. >>> >>> Thanks! >>> Augie >> >
Description: Message signed with OpenPGP
_______________________________________________ Mercurial-devel mailing list Mercurialfirstname.lastname@example.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel