Boris Feld <> writes:

> On Thu, 2017-08-10 at 14:09 -0400, Augie Fackler wrote:
>> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch
>> *immedately*:
>> CVE-2017-1000115:
>> Mercurial's symlink auditing was incomplete prior to 4.3, and could
>> be abused to write to files outside the repository.
>> CVE-2017-1000116:
>> Mercurial was not sanitizing hostnames passed to ssh, allowing shell
>> injection attacks by specifying a hostname starting with
>> -oProxyCommand. This is also present in Git (CVE-2017-1000117) and
>> Subversion (CVE-2017-9800), so please patch those tools as well if
>> you have them installed. All three tools are doing their security
>> release today.
>> Please update your packaged builds as soon as practical.
>> Note that since we dropped Python 2.6 and these issues are pretty
>> bad, we did the back port to 4.2.3. We may not do further 4.2
>> releases, so please plan around Python 2.7 in the near future if you
>> haven't already.
>> Thanks!
>> Augie
> Thank you Augie for the release and thank you Yuja, Sean and Jun for
> the security fixes!
> We had to backport the patches for Mercurial 4.1.3 for some customers.
> We made them available in case someone else needs them:
> 1.

In what turned out to be a nightmare for me, I too, have backported
these fixes to 3.7.3:

I viewed this as an exercise and in no way promise to backport future

Attachment: signature.asc
Description: PGP signature

Mercurial-devel mailing list

Reply via email to