Re: Mercurial 4.3 and 4.2.3 released
Augie, On Thursday, 2017-08-10 14:11:52 -0400, you wrote: > ... > > CVE-2017-1000115: > > > > Mercurial's symlink auditing was incomplete prior to 4.3, and could be > > abused to write to files outside the repository. What precisely does that mean? Is it no longer possible to have a vers- ion controlled symbolic link somewhere in the working directory which points to some place outside the Mercurial repository? Some of my re- positories heavily depend on this :-( I searched the web for "CVE-2017-1000115", but found neither a detailed description of the problem nor of the solution. Anybody caring to shed some light on this? Sincerely, Rainer ___ Mercurial-packaging mailing list Mercurial-packaging@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-packaging
Re: Mercurial 4.3 and 4.2.3 released
On Thu, 2017-08-10 at 14:09 -0400, Augie Fackler wrote: > Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch > *immedately*: > > CVE-2017-1000115: > > Mercurial's symlink auditing was incomplete prior to 4.3, and could > be abused to write to files outside the repository. > > CVE-2017-1000116: > > Mercurial was not sanitizing hostnames passed to ssh, allowing shell > injection attacks by specifying a hostname starting with > -oProxyCommand. This is also present in Git (CVE-2017-1000117) and > Subversion (CVE-2017-9800), so please patch those tools as well if > you have them installed. All three tools are doing their security > release today. > > Please update your packaged builds as soon as practical. > > Note that since we dropped Python 2.6 and these issues are pretty > bad, we did the back port to 4.2.3. We may not do further 4.2 > releases, so please plan around Python 2.7 in the near future if you > haven't already. > > Thanks! > Augie Thank you Augie for the release and thank you Yuja, Sean and Jun for the security fixes! We had to backport the patches for Mercurial 4.1.3 for some customers. We made them available in case someone else needs them: https://bitbucket.org/octobus/mercurial-backport/branch/backport-4. 1. Sincerely, Boris Feld > ___ > Mercurial-devel mailing list > mercurial-de...@mercurial-scm.org > https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel ___ Mercurial-packaging mailing list Mercurial-packaging@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-packaging
Re: Mercurial 4.3 and 4.2.3 released
> On Aug 10, 2017, at 14:11, Augie Fackler <r...@durin42.com> wrote: > > >> On Aug 10, 2017, at 14:09, Augie Fackler <r...@durin42.com> wrote: >> >> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*: > > Update: the release script misfired and 4.2.3 is wrong - I'll fix it shortly. 4.2.3 is now correctly available from mercurial-scm.org <http://mercurial-scm.org/> and has a tag in mercurial-scm.org/repo/hg-committed <http://mercurial-scm.org/repo/hg-committed>. I can't (sadly) upload it to pypi, please let me know if that's a major concern for you. > >> >> CVE-2017-1000115: >> >> Mercurial's symlink auditing was incomplete prior to 4.3, and could be >> abused to write to files outside the repository. >> >> CVE-2017-1000116: >> >> Mercurial was not sanitizing hostnames passed to ssh, allowing shell >> injection attacks by specifying a hostname starting with -oProxyCommand. >> This is also present in Git (CVE-2017-1000117) and Subversion >> (CVE-2017-9800), so please patch those tools as well if you have them >> installed. All three tools are doing their security release today. >> >> Please update your packaged builds as soon as practical. >> >> Note that since we dropped Python 2.6 and these issues are pretty bad, we >> did the back port to 4.2.3. We may not do further 4.2 releases, so please >> plan around Python 2.7 in the near future if you haven't already. >> >> Thanks! >> Augie > signature.asc Description: Message signed with OpenPGP ___ Mercurial-packaging mailing list Mercurial-packaging@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-packaging
Re: Mercurial 4.3 and 4.2.3 released
> On Aug 10, 2017, at 14:09, Augie Fackler <r...@durin42.com> wrote: > > Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch *immedately*: Update: the release script misfired and 4.2.3 is wrong - I'll fix it shortly. > > CVE-2017-1000115: > > Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused > to write to files outside the repository. > > CVE-2017-1000116: > > Mercurial was not sanitizing hostnames passed to ssh, allowing shell > injection attacks by specifying a hostname starting with -oProxyCommand. This > is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so > please patch those tools as well if you have them installed. All three tools > are doing their security release today. > > Please update your packaged builds as soon as practical. > > Note that since we dropped Python 2.6 and these issues are pretty bad, we did > the back port to 4.2.3. We may not do further 4.2 releases, so please plan > around Python 2.7 in the near future if you haven't already. > > Thanks! > Augie signature.asc Description: Message signed with OpenPGP ___ Mercurial-packaging mailing list Mercurial-packaging@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-packaging