Re: Mercurial 4.3 and 4.2.3 released

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Mercurial 4.3 and 4.2.3 released

Arne Babenhauserheide-2

Augie Fackler <[hidden email]> writes:

>> 4.2.3 is now correctly available from mercurial-scm.org <http://mercurial-scm.org/> and has a tag in mercurial-scm.org/repo/hg-committed <http://mercurial-scm.org/repo/hg-committed>.
> So there's now a 4.3.1 with the patches.

Thank you for your swift fixes — and for the backport!

Best wishes,
Arne
--
Unpolitisch sein
heißt politisch sein
ohne es zu merken

_______________________________________________
Mercurial mailing list
[hidden email]
https://www.mercurial-scm.org/mailman/listinfo/mercurial

signature.asc (847 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Mercurial 4.3 and 4.2.3 released

Dr Rainer Woitok
Augie,

On Thursday, 2017-08-10 14:11:52 -0400, you wrote:

> ...
> > CVE-2017-1000115:
> >
> > Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.

What precisely does that mean?  Is it no longer possible to have a vers-
ion controlled  symbolic link somewhere  in the working directory  which
points to some place  outside the Mercurial repository?   Some of my re-
positories heavily depend on this :-(

I searched the web for "CVE-2017-1000115",  but found neither a detailed
description of the problem nor of the solution.

Anybody caring to shed some light on this?

Sincerely,
  Rainer
_______________________________________________
Mercurial mailing list
[hidden email]
https://www.mercurial-scm.org/mailman/listinfo/mercurial
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Mercurial 4.3 and 4.2.3 released

Sean Farley-3
In reply to this post by Arne Babenhauserheide-2

Boris Feld <[hidden email]> writes:

> On Thu, 2017-08-10 at 14:09 -0400, Augie Fackler wrote:
>> Moments ago, I released Mercurial 4.3 and 4.2.3. Please patch
>> *immedately*:
>>
>> CVE-2017-1000115:
>>
>> Mercurial's symlink auditing was incomplete prior to 4.3, and could
>> be abused to write to files outside the repository.
>>
>> CVE-2017-1000116:
>>
>> Mercurial was not sanitizing hostnames passed to ssh, allowing shell
>> injection attacks by specifying a hostname starting with
>> -oProxyCommand. This is also present in Git (CVE-2017-1000117) and
>> Subversion (CVE-2017-9800), so please patch those tools as well if
>> you have them installed. All three tools are doing their security
>> release today.
>>
>> Please update your packaged builds as soon as practical.
>>
>> Note that since we dropped Python 2.6 and these issues are pretty
>> bad, we did the back port to 4.2.3. We may not do further 4.2
>> releases, so please plan around Python 2.7 in the near future if you
>> haven't already.
>>
>> Thanks!
>> Augie
>
> Thank you Augie for the release and thank you Yuja, Sean and Jun for
> the security fixes!
>
> We had to backport the patches for Mercurial 4.1.3 for some customers.
>
> We made them available in case someone else needs them:
>
> https://bitbucket.org/octobus/mercurial-backport/branch/backport-4.
> 1.
In what turned out to be a nightmare for me, I too, have backported
these fixes to 3.7.3:

https://bitbucket.org/atlassian/mercurial/commits/branch/sec-3.7

I viewed this as an exercise and in no way promise to backport future
things.

_______________________________________________
Mercurial mailing list
[hidden email]
https://www.mercurial-scm.org/mailman/listinfo/mercurial

signature.asc (815 bytes) Download Attachment
Loading...