Re: Mercurial 4.3 and 4.2.3 released

2017-08-11 Thread Sean Farley
Boris Feld <boris.f...@octobus.net> writes: > On Thu, 2017-08-10 at 14:09 -0400, Augie Fackler wrote: >> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch >> *immedately*: >> >> CVE-2017-1000115: >> >> Mercurial's symlink auditing was in

Re: Mercurial 4.3 and 4.2.3 released

2017-08-11 Thread Sean Farley
Boris Feld <boris.f...@octobus.net> writes: > On Thu, 2017-08-10 at 14:09 -0400, Augie Fackler wrote: >> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch >> *immedately*: >> >> CVE-2017-1000115: >> >> Mercurial's symlink auditing was in

Re: Mercurial 4.3 and 4.2.3 released

2017-08-11 Thread Augie Fackler
> On Aug 11, 2017, at 05:10, Dr Rainer Woitok wrote: > > Augie, > > On Thursday, 2017-08-10 14:11:52 -0400, you wrote: > >> ... >>> CVE-2017-1000115: >>> >>> Mercurial's symlink auditing was incomplete prior to 4.3, and could be >>> abused to write to files outside

Re: Mercurial 4.3 and 4.2.3 released

2017-08-11 Thread Dr Rainer Woitok
Augie, On Thursday, 2017-08-10 14:11:52 -0400, you wrote: > ... > > CVE-2017-1000115: > > > > Mercurial's symlink auditing was incomplete prior to 4.3, and could be > > abused to write to files outside the repository. What precisely does that mean? Is it no longer possible to have a vers-

Re: Mercurial 4.3 and 4.2.3 released

2017-08-11 Thread Boris Feld
On Thu, 2017-08-10 at 14:09 -0400, Augie Fackler wrote: > Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch > *immedately*: > > CVE-2017-1000115: > > Mercurial's symlink auditing was incomplete prior to 4.3, and could > be abused to write to files outside the

Re: Mercurial 4.3 and 4.2.3 released

2017-08-11 Thread Boris Feld
On Thu, 2017-08-10 at 14:09 -0400, Augie Fackler wrote: > Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch > *immedately*: > > CVE-2017-1000115: > > Mercurial's symlink auditing was incomplete prior to 4.3, and could > be abused to write to files outside the

Re: Mercurial 4.3 and 4.2.3 released

2017-08-11 Thread Boris Feld
On Thu, 2017-08-10 at 14:09 -0400, Augie Fackler wrote: > Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch > *immedately*: > > CVE-2017-1000115: > > Mercurial's symlink auditing was incomplete prior to 4.3, and could > be abused to write to files outside the

Re: Mercurial 4.3 and 4.2.3 released

2017-08-11 Thread Dr Rainer Woitok
Augie, On Thursday, 2017-08-10 14:11:52 -0400, you wrote: > ... > > CVE-2017-1000115: > > > > Mercurial's symlink auditing was incomplete prior to 4.3, and could be > > abused to write to files outside the repository. What precisely does that mean? Is it no longer possible to have a vers-

Re: Mercurial 4.3 and 4.2.3 released

2017-08-11 Thread Arne Babenhauserheide
Augie Fackler writes: >> 4.2.3 is now correctly available from mercurial-scm.org >> and has a tag in >> mercurial-scm.org/repo/hg-committed >> . > So there's now a 4.3.1 with the patches. Thank you for

Re: Mercurial 4.3 and 4.2.3 released

2017-08-10 Thread Augie Fackler
kler <r...@durin42.com >>> <mailto:r...@durin42.com>> wrote: >>> >>> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*: >> >> Update: the release script misfired and 4.2.3 is wrong - I'll fix it shortly. > > 4.2.3 is now co

Re: Mercurial 4.3 and 4.2.3 released

2017-08-10 Thread Augie Fackler
kler <r...@durin42.com >>> <mailto:r...@durin42.com>> wrote: >>> >>> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*: >> >> Update: the release script misfired and 4.2.3 is wrong - I'll fix it shortly. > > 4.2.3 is now co

Re: Mercurial 4.3 and 4.2.3 released

2017-08-10 Thread Augie Fackler
> On Aug 10, 2017, at 14:11, Augie Fackler <r...@durin42.com> wrote: > > >> On Aug 10, 2017, at 14:09, Augie Fackler <r...@durin42.com> wrote: >> >> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*: > > Update: the rele

Re: Mercurial 4.3 and 4.2.3 released

2017-08-10 Thread Augie Fackler
> On Aug 10, 2017, at 14:11, Augie Fackler <r...@durin42.com> wrote: > > >> On Aug 10, 2017, at 14:09, Augie Fackler <r...@durin42.com> wrote: >> >> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*: > > Update: the rele

Re: Mercurial 4.3 and 4.2.3 released

2017-08-10 Thread Augie Fackler
> On Aug 10, 2017, at 14:09, Augie Fackler <r...@durin42.com> wrote: > > Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*: Update: the release script misfired and 4.2.3 is wrong - I'll fix it shortly. > > CVE-2017-1000115: > > M

Re: Mercurial 4.3 and 4.2.3 released

2017-08-10 Thread Augie Fackler
> On Aug 10, 2017, at 14:09, Augie Fackler <r...@durin42.com> wrote: > > Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*: Update: the release script misfired and 4.2.3 is wrong - I'll fix it shortly. > > CVE-2017-1000115: > > M

Re: Mercurial 4.3 and 4.2.3 released

2017-08-10 Thread Augie Fackler
> On Aug 10, 2017, at 14:09, Augie Fackler <r...@durin42.com> wrote: > > Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*: Update: the release script misfired and 4.2.3 is wrong - I'll fix it shortly. > > CVE-2017-1000115: > > M

Mercurial 4.3 and 4.2.3 released

2017-08-10 Thread Augie Fackler
Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*: CVE-2017-1000115: Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository. CVE-2017-1000116: Mercurial was not sanitizing hostnames passed to ssh

Mercurial 4.3 and 4.2.3 released

2017-08-10 Thread Augie Fackler
Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*: CVE-2017-1000115: Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository. CVE-2017-1000116: Mercurial was not sanitizing hostnames passed to ssh