> On Aug 10, 2017, at 14:09, Augie Fackler <r...@durin42.com> wrote:
> 
> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*:

Update: the release script misfired and 4.2.3 is wrong - I'll fix it shortly.

> 
> CVE-2017-1000115:
> 
> Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused 
> to write to files outside the repository.
> 
> CVE-2017-1000116:
> 
> Mercurial was not sanitizing hostnames passed to ssh, allowing shell 
> injection attacks by specifying a hostname starting with -oProxyCommand. This 
> is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so 
> please patch those tools as well if you have them installed. All three tools 
> are doing their security release today.
> 
> Please update your packaged builds as soon as practical.
> 
> Note that since we dropped Python 2.6 and these issues are pretty bad, we did 
> the back port to 4.2.3. We may not do further 4.2 releases, so please plan 
> around Python 2.7 in the near future if you haven't already.
> 
> Thanks!
> Augie

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
Mercurial-packaging mailing list
Mercurial-packaging@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-packaging

Reply via email to