On Tue, Mar 06, 2018 at 02:39:47PM -0800, Gregory Szorc wrote: > On Tue, Mar 6, 2018 at 11:51 AM, Kevin Bullock <kbull...@ringworld.org> > wrote: > > > Please update your package builds, thanks. > > > > Multiple security vulnerabilities in Mercurial's HTTP wire protocol > > interface were fixed in this release: > > > > * Not all commands would deny access if the repository was configured to > > not allow read access. > > > > * The "batch" command did not check permissions of sub-commands, thus > > allowing permissions bypass to access and modify some repository data. > > Servers could have their bookmarks, phases, and obsolescence markers > > updated by any client that was able to trigger server processing of the > > "batch" command. > > > > Note that the tag and signature are only in hg-committed right now -- this > > is due to a known bug in our new patch acceptance process and will be fixed > > at some point. The tag and signature should land in main within the next > > hour or two. > > > > https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29 > contains a more detailed write-up of the security issues. It also links to > backports of the security patches to 4.4 and 4.3. Those backports weren't > explicitly reviewed through Mercurial's normal review mechanism. But I > authored the reviewed security fixes for 4.5 and the backports. So > hopefully there isn't a trust issue in play. Mozilla is currently running > the 4.4 backports in production on hg.mozilla.org and I can vouch that they > appear to work just as well as the official patches on 4.5.2.
Thanks for the backports. Greatly appreciated. -- Juan Francisco Cantero Hurtado http://juanfra.info _______________________________________________ Mercurial-packaging mailing list Mercurial-packaging@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-packaging
