> On Aug 10, 2017, at 14:09, Augie Fackler <r...@durin42.com> wrote: > > Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*:
Update: the release script misfired and 4.2.3 is wrong - I'll fix it shortly. > > CVE-2017-1000115: > > Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused > to write to files outside the repository. > > CVE-2017-1000116: > > Mercurial was not sanitizing hostnames passed to ssh, allowing shell > injection attacks by specifying a hostname starting with -oProxyCommand. This > is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so > please patch those tools as well if you have them installed. All three tools > are doing their security release today. > > Please update your packaged builds as soon as practical. > > Note that since we dropped Python 2.6 and these issues are pretty bad, we did > the back port to 4.2.3. We may not do further 4.2 releases, so please plan > around Python 2.7 in the near future if you haven't already. > > Thanks! > Augie
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Mercurial mailing list Mercurial@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial