Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*:


Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused 
to write to files outside the repository.


Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection 
attacks by specifying a hostname starting with -oProxyCommand. This is also 
present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please 
patch those tools as well if you have them installed. All three tools are doing 
their security release today.

Please update your packaged builds as soon as practical.

Note that since we dropped Python 2.6 and these issues are pretty bad, we did 
the back port to 4.2.3. We may not do further 4.2 releases, so please plan 
around Python 2.7 in the near future if you haven't already.


Attachment: signature.asc
Description: Message signed with OpenPGP

Mercurial-packaging mailing list

Reply via email to