On Tue, Mar 6, 2018 at 11:51 AM, Kevin Bullock <kbull...@ringworld.org>
> Please update your package builds, thanks.
> Multiple security vulnerabilities in Mercurial's HTTP wire protocol
> interface were fixed in this release:
> * Not all commands would deny access if the repository was configured to
> not allow read access.
> * The "batch" command did not check permissions of sub-commands, thus
> allowing permissions bypass to access and modify some repository data.
> Servers could have their bookmarks, phases, and obsolescence markers
> updated by any client that was able to trigger server processing of the
> "batch" command.
> Note that the tag and signature are only in hg-committed right now -- this
> is due to a known bug in our new patch acceptance process and will be fixed
> at some point. The tag and signature should land in main within the next
> hour or two.
contains a more detailed write-up of the security issues. It also links to
backports of the security patches to 4.4 and 4.3. Those backports weren't
explicitly reviewed through Mercurial's normal review mechanism. But I
authored the reviewed security fixes for 4.5 and the backports. So
hopefully there isn't a trust issue in play. Mozilla is currently running
the 4.4 backports in production on hg.mozilla.org and I can vouch that they
appear to work just as well as the official patches on 4.5.2.
Mercurial-packaging mailing list