On Thursday, 2017-08-10 14:11:52 -0400, you wrote:
> > CVE-2017-1000115:
> > Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.
What precisely does that mean? Is it no longer possible to have a vers-
ion controlled symbolic link somewhere in the working directory which
points to some place outside the Mercurial repository? Some of my re-
positories heavily depend on this :-(
I searched the web for "CVE-2017-1000115", but found neither a detailed
description of the problem nor of the solution.
> On Thu, 2017-08-10 at 14:09 -0400, Augie Fackler wrote:
>> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch
>> Mercurial's symlink auditing was incomplete prior to 4.3, and could
>> be abused to write to files outside the repository.
>> Mercurial was not sanitizing hostnames passed to ssh, allowing shell
>> injection attacks by specifying a hostname starting with
>> -oProxyCommand. This is also present in Git (CVE-2017-1000117) and
>> Subversion (CVE-2017-9800), so please patch those tools as well if
>> you have them installed. All three tools are doing their security
>> release today.
>> Please update your packaged builds as soon as practical.
>> Note that since we dropped Python 2.6 and these issues are pretty
>> bad, we did the back port to 4.2.3. We may not do further 4.2
>> releases, so please plan around Python 2.7 in the near future if you
>> haven't already.
> Thank you Augie for the release and thank you Yuja, Sean and Jun for
> the security fixes!
> We had to backport the patches for Mercurial 4.1.3 for some customers.
> We made them available in case someone else needs them:
In what turned out to be a nightmare for me, I too, have backported
these fixes to 3.7.3: