Boris Feld <boris.f...@octobus.net> writes: > On Thu, 2017-08-10 at 14:09 -0400, Augie Fackler wrote: >> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch >> *immedately*: >> >> CVE-2017-1000115: >> >> Mercurial's symlink auditing was incomplete prior to 4.3, and could >> be abused to write to files outside the repository. >> >> CVE-2017-1000116: >> >> Mercurial was not sanitizing hostnames passed to ssh, allowing shell >> injection attacks by specifying a hostname starting with >> -oProxyCommand. This is also present in Git (CVE-2017-1000117) and >> Subversion (CVE-2017-9800), so please patch those tools as well if >> you have them installed. All three tools are doing their security >> release today. >> >> Please update your packaged builds as soon as practical. >> >> Note that since we dropped Python 2.6 and these issues are pretty >> bad, we did the back port to 4.2.3. We may not do further 4.2 >> releases, so please plan around Python 2.7 in the near future if you >> haven't already. >> >> Thanks! >> Augie > > Thank you Augie for the release and thank you Yuja, Sean and Jun for > the security fixes! > > We had to backport the patches for Mercurial 4.1.3 for some customers. > > We made them available in case someone else needs them: > > https://bitbucket.org/octobus/mercurial-backport/branch/backport-4. > 1.
In what turned out to be a nightmare for me, I too, have backported these fixes to 3.7.3: https://bitbucket.org/atlassian/mercurial/commits/branch/sec-3.7 I viewed this as an exercise and in no way promise to backport future things.
Description: PGP signature
_______________________________________________ Mercurial-devel mailing list Mercurialemail@example.com https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel