info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Mercurial 4.4.1 security release
8 views
Skip to first unread message
Gregory Szorc
Nov 13, 2017, 1:57:23 PM11/13/17
to dev-version-control
Mercurial made an out-of-band 4.4.1 release to address security issues
around subrepositories. More info is at
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.4.1_.282017-11-07.29
.
The most severe vulnerability could lead to clone/update time code
execution when interacting with specifically crafted repositories. The
mitigation is that non-Mercurial subrepositories are disabled by default in
Mercurial 4.4.1 (Mercurial supports Git and Subversion subrepositories.)
Mercurial 4.5 will likely contain a better mitigation. But non-Mercurial
subrepos may continue to be disabled by default because they have
contributed multiple security vulnerabilities over the years.
Mozilla was made aware of the issue before the security release was made.
Bug 1414187 has the details (although that is still private). We
"inoculated" hg.mozilla.org against this vulnerability by preventing
subrepos from being pushed (bug 1414373). So if you have a vulnerable
client and all you do is interact with repositories on hg.mozilla.org, you
are protected.
around subrepositories. More info is at
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.4.1_.282017-11-07.29
.
The most severe vulnerability could lead to clone/update time code
execution when interacting with specifically crafted repositories. The
mitigation is that non-Mercurial subrepositories are disabled by default in
Mercurial 4.4.1 (Mercurial supports Git and Subversion subrepositories.)
Mercurial 4.5 will likely contain a better mitigation. But non-Mercurial
subrepos may continue to be disabled by default because they have
contributed multiple security vulnerabilities over the years.
Mozilla was made aware of the issue before the security release was made.
Bug 1414187 has the details (although that is still private). We
"inoculated" hg.mozilla.org against this vulnerability by preventing
subrepos from being pushed (bug 1414373). So if you have a vulnerable
client and all you do is interact with repositories on hg.mozilla.org, you
are protected.
0 new messages