> On Aug 10, 2017, at 14:25, Augie Fackler <r...@durin42.com> wrote:
> 
> 
>> On Aug 10, 2017, at 14:11, Augie Fackler <r...@durin42.com 
>> <mailto:r...@durin42.com>> wrote:
>> 
>> 
>>> On Aug 10, 2017, at 14:09, Augie Fackler <r...@durin42.com 
>>> <mailto:r...@durin42.com>> wrote:
>>> 
>>> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*:
>> 
>> Update: the release script misfired and 4.2.3 is wrong - I'll fix it shortly.
> 
> 4.2.3 is now correctly available from mercurial-scm.org 
> <http://mercurial-scm.org/> and has a tag in 
> mercurial-scm.org/repo/hg-committed 
> <http://mercurial-scm.org/repo/hg-committed>.
> 
> I can't (sadly) upload it to pypi, please let me know if that's a major 
> concern for you.

The betrayal of the release scripts continues: 4.3 didn't include the security 
patches correctly.

So there's now a 4.3.1 with the patches.

(I'll do a mini-postmortem on this later, not to worry.)

> 
>> 
>>> 
>>> CVE-2017-1000115:
>>> 
>>> Mercurial's symlink auditing was incomplete prior to 4.3, and could be 
>>> abused to write to files outside the repository.
>>> 
>>> CVE-2017-1000116:
>>> 
>>> Mercurial was not sanitizing hostnames passed to ssh, allowing shell 
>>> injection attacks by specifying a hostname starting with -oProxyCommand. 
>>> This is also present in Git (CVE-2017-1000117) and Subversion 
>>> (CVE-2017-9800), so please patch those tools as well if you have them 
>>> installed. All three tools are doing their security release today.
>>> 
>>> Please update your packaged builds as soon as practical.
>>> 
>>> Note that since we dropped Python 2.6 and these issues are pretty bad, we 
>>> did the back port to 4.2.3. We may not do further 4.2 releases, so please 
>>> plan around Python 2.7 in the near future if you haven't already.
>>> 
>>> Thanks!
>>> Augie
>> 
> 

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
Mercurial-packaging mailing list
Mercurial-packaging@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-packaging

Reply via email to