On Tue, Mar 6, 2018 at 11:51 AM, Kevin Bullock <kbull...@ringworld.org> wrote:
> Please update your package builds, thanks. > > Multiple security vulnerabilities in Mercurial's HTTP wire protocol > interface were fixed in this release: > > * Not all commands would deny access if the repository was configured to > not allow read access. > > * The "batch" command did not check permissions of sub-commands, thus > allowing permissions bypass to access and modify some repository data. > Servers could have their bookmarks, phases, and obsolescence markers > updated by any client that was able to trigger server processing of the > "batch" command. > > Note that the tag and signature are only in hg-committed right now -- this > is due to a known bug in our new patch acceptance process and will be fixed > at some point. The tag and signature should land in main within the next > hour or two. > https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29 contains a more detailed write-up of the security issues. It also links to backports of the security patches to 4.4 and 4.3. Those backports weren't explicitly reviewed through Mercurial's normal review mechanism. But I authored the reviewed security fixes for 4.5 and the backports. So hopefully there isn't a trust issue in play. Mozilla is currently running the 4.4 backports in production on hg.mozilla.org and I can vouch that they appear to work just as well as the official patches on 4.5.2.
_______________________________________________ Mercurial-packaging mailing list Mercurial-packaging@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-packaging