---------- Forwarded message ---------- From: Gregory Szorc <g...@mozilla.com> Date: Thu, Aug 10, 2017 at 12:10 PM Subject: Security releases for Git, Mercurial, and Subversion To: Firefox Dev <firefox-...@mozilla.org>, dev-version-control < dev-version-cont...@lists.mozilla.org>
Git, Mercurial, and Subversion just had a coordinated release to mitigate a security vulnerability regarding the parsing of ssh:// URLs. Essentially, well-crafted ssh:// URLs (e.g. in a subrepo, submodule, or svn:externals references) could lead to local code execution. If you run a command like `git clone --recurse-submodules` or `hg pull --update` and nefarious data is received, you could be p0wned. This is tracked in at least CVE-2017-1000116 and CVE-2017-1000117. In addition, Mercurial issued a security fix for symlink handling that could result in arbitrary filesystem write (attempts) for well-crafted symlinks. This is CVE-2017-1000115. You should upgrade your version control clients ASAP to eliminate exposure to these bugs. Until you do, be extra cognizant where you pull from - especially any operation related to subrepos/submodules. As of today, hg.mozilla.org is now configured to not allow subrepos and symlinks on non-user repos. The main Firefox repos have been audited and no "bad" data is present. So, the canonical Firefox repos cannot be used as a delivery vehicle for these exploits. I anticipate popular hosting services like GitHub and Bitbucket will take similar actions and make similar announcements. Critical version control infrastructure like hg.mozilla.org and Autoland has been patched for several days courtesy of responsible early disclosure of the vulnerabilities and fixes from the Mercurial Project. Announcements: hg: https://www.mercurial-scm.org/pipermail/mercurial/2017- August/050522.html git: http://marc.info/?l=git&m=150238802328673&w=2 svn: http://mail-archives.apache.org/mod_mbox/subversion- announce/201708.mbox/%3C2fefe468-7d41-11e7-aea1-9312c6089150%40apache.org%3E _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform