info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Security releases for Git, Mercurial, and Subversion
18 views
Skip to first unread message
Gregory Szorc
Aug 10, 2017, 3:11:14 PM8/10/17
to Firefox Dev, dev-version-control
Git, Mercurial, and Subversion just had a coordinated release to mitigate a
security vulnerability regarding the parsing of ssh:// URLs. Essentially,
well-crafted ssh:// URLs (e.g. in a subrepo, submodule, or svn:externals
references) could lead to local code execution. If you run a command like
`git clone --recurse-submodules` or `hg pull --update` and nefarious data
is received, you could be p0wned.
This is tracked in at least CVE-2017-1000116 and CVE-2017-1000117.
In addition, Mercurial issued a security fix for symlink handling that
could result in arbitrary filesystem write (attempts) for well-crafted
symlinks. This is CVE-2017-1000115.
You should upgrade your version control clients ASAP to eliminate exposure
to these bugs. Until you do, be extra cognizant where you pull from -
especially any operation related to subrepos/submodules.
As of today, hg.mozilla.org is now configured to not allow subrepos and
symlinks on non-user repos. The main Firefox repos have been audited and no
"bad" data is present. So, the canonical Firefox repos cannot be used as a
delivery vehicle for these exploits. I anticipate popular hosting services
like GitHub and Bitbucket will take similar actions and make similar
announcements.
Critical version control infrastructure like hg.mozilla.org and Autoland
has been patched for several days courtesy of responsible early disclosure
of the vulnerabilities and fixes from the Mercurial Project.
Announcements:
hg:
https://www.mercurial-scm.org/pipermail/mercurial/2017-August/050522.html
git: http://marc.info/?l=git&m=150238802328673&w=2
svn:
http://mail-archives.apache.org/mod_mbox/subversion-announce/201708.mbox/%3C2fefe468-7d41-11e7-aea1-9312c6089150%40apache.org%3E
security vulnerability regarding the parsing of ssh:// URLs. Essentially,
well-crafted ssh:// URLs (e.g. in a subrepo, submodule, or svn:externals
references) could lead to local code execution. If you run a command like
`git clone --recurse-submodules` or `hg pull --update` and nefarious data
is received, you could be p0wned.
This is tracked in at least CVE-2017-1000116 and CVE-2017-1000117.
In addition, Mercurial issued a security fix for symlink handling that
could result in arbitrary filesystem write (attempts) for well-crafted
symlinks. This is CVE-2017-1000115.
You should upgrade your version control clients ASAP to eliminate exposure
to these bugs. Until you do, be extra cognizant where you pull from -
especially any operation related to subrepos/submodules.
As of today, hg.mozilla.org is now configured to not allow subrepos and
symlinks on non-user repos. The main Firefox repos have been audited and no
"bad" data is present. So, the canonical Firefox repos cannot be used as a
delivery vehicle for these exploits. I anticipate popular hosting services
like GitHub and Bitbucket will take similar actions and make similar
announcements.
Critical version control infrastructure like hg.mozilla.org and Autoland
has been patched for several days courtesy of responsible early disclosure
of the vulnerabilities and fixes from the Mercurial Project.
Announcements:
hg:
https://www.mercurial-scm.org/pipermail/mercurial/2017-August/050522.html
git: http://marc.info/?l=git&m=150238802328673&w=2
svn:
http://mail-archives.apache.org/mod_mbox/subversion-announce/201708.mbox/%3C2fefe468-7d41-11e7-aea1-9312c6089150%40apache.org%3E
Ryan VanderMeulen
Aug 10, 2017, 3:18:39 PM8/10/17
to Gregory Szorc, dev-version-control, Firefox Dev
Friendly reminder that for Windows users, you can update Mercurial from the
MozillaBuild command prompt by running the |pip install -U mercurial|
command.
-Ryan
> _______________________________________________
> firefox-dev mailing list
> firef...@mozilla.org
> https://mail.mozilla.org/listinfo/firefox-dev
>
>
MozillaBuild command prompt by running the |pip install -U mercurial|
command.
-Ryan
> firefox-dev mailing list
> firef...@mozilla.org
> https://mail.mozilla.org/listinfo/firefox-dev
>
>
Mike Conley
Aug 10, 2017, 3:22:20 PM8/10/17
to Firefox Dev, dev-version-control
And for the folks using Homebrew, this is the pull request to track to
get the new formula:
https://github.com/Homebrew/homebrew-core/pull/16634
On 2017-08-10 3:18 PM, Ryan VanderMeulen wrote:
> Friendly reminder that for Windows users, you can update Mercurial from
> the MozillaBuild command prompt by running the |pip install -U
> mercurial| command.
>
> -Ryan
>
> On Thu, Aug 10, 2017 at 3:10 PM, Gregory Szorc <g...@mozilla.com
> <mailto:g...@mozilla.com>> wrote:
>
> Git, Mercurial, and Subversion just had a coordinated release to
> mitigate a security vulnerability regarding the parsing of ssh://
> URLs. Essentially, well-crafted ssh:// URLs (e.g. in a subrepo,
> submodule, or svn:externals references) could lead to local code
> execution. If you run a command like `git clone
> --recurse-submodules` or `hg pull --update` and nefarious data is
> received, you could be p0wned.
>
> This is tracked in at least CVE-2017-1000116 and CVE-2017-1000117.
>
> In addition, Mercurial issued a security fix for symlink handling
> that could result in arbitrary filesystem write (attempts) for
> well-crafted symlinks. This is CVE-2017-1000115.
>
> You should upgrade your version control clients ASAP to eliminate
> exposure to these bugs. Until you do, be extra cognizant where you
> pull from - especially any operation related to subrepos/submodules.
>
> As of today, hg.mozilla.org <http://hg.mozilla.org> is now
>
>
> _______________________________________________
> firefox-dev mailing list
> firef...@mozilla.org <mailto:firef...@mozilla.org>
> https://mail.mozilla.org/listinfo/firefox-dev
> <https://mail.mozilla.org/listinfo/firefox-dev>
get the new formula:
https://github.com/Homebrew/homebrew-core/pull/16634
On 2017-08-10 3:18 PM, Ryan VanderMeulen wrote:
> Friendly reminder that for Windows users, you can update Mercurial from
> the MozillaBuild command prompt by running the |pip install -U
> mercurial| command.
>
> -Ryan
>
> On Thu, Aug 10, 2017 at 3:10 PM, Gregory Szorc <g...@mozilla.com
> <mailto:g...@mozilla.com>> wrote:
>
> Git, Mercurial, and Subversion just had a coordinated release to
> mitigate a security vulnerability regarding the parsing of ssh://
> URLs. Essentially, well-crafted ssh:// URLs (e.g. in a subrepo,
> submodule, or svn:externals references) could lead to local code
> execution. If you run a command like `git clone
> --recurse-submodules` or `hg pull --update` and nefarious data is
> received, you could be p0wned.
>
> This is tracked in at least CVE-2017-1000116 and CVE-2017-1000117.
>
> In addition, Mercurial issued a security fix for symlink handling
> that could result in arbitrary filesystem write (attempts) for
> well-crafted symlinks. This is CVE-2017-1000115.
>
> You should upgrade your version control clients ASAP to eliminate
> exposure to these bugs. Until you do, be extra cognizant where you
> pull from - especially any operation related to subrepos/submodules.
>
> configured to not allow subrepos and symlinks on non-user repos. The
> main Firefox repos have been audited and no "bad" data is present.
> So, the canonical Firefox repos cannot be used as a delivery vehicle
> for these exploits. I anticipate popular hosting services like
> GitHub and Bitbucket will take similar actions and make similar
> announcements.
>
> Critical version control infrastructure like hg.mozilla.org
> <http://hg.mozilla.org> and Autoland has been patched for several
> main Firefox repos have been audited and no "bad" data is present.
> So, the canonical Firefox repos cannot be used as a delivery vehicle
> for these exploits. I anticipate popular hosting services like
> GitHub and Bitbucket will take similar actions and make similar
> announcements.
>
> Critical version control infrastructure like hg.mozilla.org
> days courtesy of responsible early disclosure of the vulnerabilities
> and fixes from the Mercurial Project.
>
> Announcements:
>
> hg:
> https://www.mercurial-scm.org/pipermail/mercurial/2017-August/050522.html
> and fixes from the Mercurial Project.
>
> Announcements:
>
> hg:
> https://www.mercurial-scm.org/pipermail/mercurial/2017-August/050522.html
> <https://www.mercurial-scm.org/pipermail/mercurial/2017-August/050522.html>
> git: http://marc.info/?l=git&m=150238802328673&w=2
> <http://marc.info/?l=git&m=150238802328673&w=2>
> svn:
> http://mail-archives.apache.org/mod_mbox/subversion-announce/201708.mbox/%3C2fefe468-7d41-11e7-aea1-9312c6089150%40apache.org%3E
> <http://mail-archives.apache.org/mod_mbox/subversion-announce/201708.mbox/%3C2fefe468-7d41-11e7-aea1-9312c6089150%40apache.org%3E>
> git: http://marc.info/?l=git&m=150238802328673&w=2
> <http://marc.info/?l=git&m=150238802328673&w=2>
> svn:
> http://mail-archives.apache.org/mod_mbox/subversion-announce/201708.mbox/%3C2fefe468-7d41-11e7-aea1-9312c6089150%40apache.org%3E
>
>
> _______________________________________________
> firefox-dev mailing list
> firef...@mozilla.org <mailto:firef...@mozilla.org>
> https://mail.mozilla.org/listinfo/firefox-dev
> <https://mail.mozilla.org/listinfo/firefox-dev>
Gregory Szorc
Aug 11, 2017, 1:29:36 PM8/11/17
to Gregory Szorc, dev-platform, dev-version-control, Firefox Dev
On Thu, Aug 10, 2017 at 12:10 PM, Gregory Szorc <g...@mozilla.com> wrote:
> Git, Mercurial, and Subversion just had a coordinated release to mitigate
> a security vulnerability regarding the parsing of ssh:// URLs. Essentially,
> well-crafted ssh:// URLs (e.g. in a subrepo, submodule, or svn:externals
> references) could lead to local code execution. If you run a command like
> `git clone --recurse-submodules` or `hg pull --update` and nefarious data
> is received, you could be p0wned.
>
> This is tracked in at least CVE-2017-1000116 and CVE-2017-1000117.
>
> In addition, Mercurial issued a security fix for symlink handling that
> could result in arbitrary filesystem write (attempts) for well-crafted
> symlinks. This is CVE-2017-1000115.
>
> You should upgrade your version control clients ASAP to eliminate exposure
> to these bugs. Until you do, be extra cognizant where you pull from -
> especially any operation related to subrepos/submodules.
>
> As of today, hg.mozilla.org is now configured to not allow subrepos and
> Git, Mercurial, and Subversion just had a coordinated release to mitigate
> a security vulnerability regarding the parsing of ssh:// URLs. Essentially,
> well-crafted ssh:// URLs (e.g. in a subrepo, submodule, or svn:externals
> references) could lead to local code execution. If you run a command like
> `git clone --recurse-submodules` or `hg pull --update` and nefarious data
> is received, you could be p0wned.
>
> This is tracked in at least CVE-2017-1000116 and CVE-2017-1000117.
>
> In addition, Mercurial issued a security fix for symlink handling that
> could result in arbitrary filesystem write (attempts) for well-crafted
> symlinks. This is CVE-2017-1000115.
>
> You should upgrade your version control clients ASAP to eliminate exposure
> to these bugs. Until you do, be extra cognizant where you pull from -
> especially any operation related to subrepos/submodules.
>
> symlinks on non-user repos. The main Firefox repos have been audited and no
> "bad" data is present. So, the canonical Firefox repos cannot be used as a
> delivery vehicle for these exploits. I anticipate popular hosting services
> like GitHub and Bitbucket will take similar actions and make similar
> announcements.
>
> Critical version control infrastructure like hg.mozilla.org and Autoland
> "bad" data is present. So, the canonical Firefox repos cannot be used as a
> delivery vehicle for these exploits. I anticipate popular hosting services
> like GitHub and Bitbucket will take similar actions and make similar
> announcements.
>
> has been patched for several days courtesy of responsible early disclosure
> of the vulnerabilities and fixes from the Mercurial Project.
>
> Announcements:
>
> of the vulnerabilities and fixes from the Mercurial Project.
>
> Announcements:
>
> hg: https://www.mercurial-scm.org/pipermail/mercurial/2017-
> August/050522.html
> git: http://marc.info/?l=git&m=150238802328673&w=2
> svn: http://mail-archives.apache.org/mod_mbox/subversion-
> announce/201708.mbox/%3C2fefe468-7d41-11e7-aea1-
> 9312c6089150%40apache.org%3E
>
>
Following up...
> August/050522.html
> git: http://marc.info/?l=git&m=150238802328673&w=2
> svn: http://mail-archives.apache.org/mod_mbox/subversion-
> announce/201708.mbox/%3C2fefe468-7d41-11e7-aea1-
> 9312c6089150%40apache.org%3E
>
>
The Mozilla tracking bugs for these security releases are:
Mercurial: 1385978
Git: 1386035
Subversion: 1386038
(Note: only the Mercurial one is currently public)
There were some failures in Mercurial's release process yesterday.
Mercurial 4.3.1 was released shortly after 4.3 because 4.3 didn't include
the security fixes. If you upgraded to 4.3 yesterday, please run `hg
version` and make sure you are on 4.3.1 and upgrade if not.
Also, PyPI isn't hosting a tar.gz for Mercurial 4.2.3 because of a mix-up
involving uploading of that file and PyPI's inability to replace a file
once uploaded. If you need to `pip install Mercurial` from source (any
platform not Windows - which should pick up the binary Python wheel
packages from PyPI), you can add a `--find-links
https://www.mercurial-scm.org/release/` to `pip install` or a pip
requirements file and it will find the tar.gz from Mercurial's official
hosting location. The SHA-256 for pip requirements pinning (which you
should almost always use) is
04908fc7d89e5810edf3d2762f5aecce5b5c0cb8534f3dbff7d0d848d11ff7ac. (GPG
signature available at aforementioned URL if you want to verify.)
There's also one known regression in 4.3.1 that impacts old Python 2.7
releases. If you get an error mentioning "branchmap.py" and "bytearray",
this will be fixed in 4.3.2. It isn't clear if 4.3.2 will be released
before the next scheduled minor release on September 1.
If you've been impacted by the Try/pushlog outages recently, it is fallout
from this. We had to shotgun upgrade all important infrastructure to
Mercurial 4.2 last week to prepare for this release. My perception is the
upgrade problems aren't worthy of running a custom Mercurial 4.1 build
(which would be a hassle). So we've been working through the problems as
they arise (with the assumption that issues are infrequent, easily
correctable, and will be addressed soon). Hopefully the recent high
stability of hg.mozilla.org relative to where it was 5 years ago has built
up enough karma that a few days of instability is tolerable. But I do
apologize if this has caused any inconvenience: I hate being blocked on
getting things done as much as you do. I hope to have upgrade fallout bugs
sorted out by next week. Bug 1359641 tracks everything related to the 4.2
upgrade.
Finally, little has landed to prepare things like version-control-tools
extensions for Mercurial 4.3. That is normally something I do the week or
two before a major release. But the security fire drill preempted that
work. If you find random bugs with our custom extensions with 4.3, that's
probably why. If you want to help, ping me (gps) in #vcs on IRC. It would
be particularly useful to find a champion to keep the `mach bootstrap`
Mercurial functionality up to date. Anyway, track 4.3 things against bug
1389562.
Sorry for the wall of text and the disruptions. It has been a very chaotic
~2 weeks to prepare and handle this security event.
0 new messages