> On Aug 10, 2017, at 14:11, Augie Fackler <r...@durin42.com> wrote:
>> On Aug 10, 2017, at 14:09, Augie Fackler <r...@durin42.com> wrote:
>> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*:
> Update: the release script misfired and 4.2.3 is wrong - I'll fix it shortly.

4.2.3 is now correctly available from mercurial-scm.org 
<http://mercurial-scm.org/> and has a tag in 

I can't (sadly) upload it to pypi, please let me know if that's a major concern 
for you.

>> CVE-2017-1000115:
>> Mercurial's symlink auditing was incomplete prior to 4.3, and could be 
>> abused to write to files outside the repository.
>> CVE-2017-1000116:
>> Mercurial was not sanitizing hostnames passed to ssh, allowing shell 
>> injection attacks by specifying a hostname starting with -oProxyCommand. 
>> This is also present in Git (CVE-2017-1000117) and Subversion 
>> (CVE-2017-9800), so please patch those tools as well if you have them 
>> installed. All three tools are doing their security release today.
>> Please update your packaged builds as soon as practical.
>> Note that since we dropped Python 2.6 and these issues are pretty bad, we 
>> did the back port to 4.2.3. We may not do further 4.2 releases, so please 
>> plan around Python 2.7 in the near future if you haven't already.
>> Thanks!
>> Augie

Attachment: signature.asc
Description: Message signed with OpenPGP

Mercurial mailing list

Reply via email to