Security releases for Git, Mercurial, and Subversion

Ryan VanderMeulen rvandermeulen at mozilla.com
Thu Aug 10 19:18:29 UTC 2017


Friendly reminder that for Windows users, you can update Mercurial from the
MozillaBuild command prompt by running the |pip install -U mercurial|
command.

-Ryan

On Thu, Aug 10, 2017 at 3:10 PM, Gregory Szorc <gps at mozilla.com> wrote:

> Git, Mercurial, and Subversion just had a coordinated release to mitigate
> a security vulnerability regarding the parsing of ssh:// URLs. Essentially,
> well-crafted ssh:// URLs (e.g. in a subrepo, submodule, or svn:externals
> references) could lead to local code execution. If you run a command like
> `git clone --recurse-submodules` or `hg pull --update` and nefarious data
> is received, you could be p0wned.
>
> This is tracked in at least CVE-2017-1000116 and CVE-2017-1000117.
>
> In addition, Mercurial issued a security fix for symlink handling that
> could result in arbitrary filesystem write (attempts) for well-crafted
> symlinks. This is CVE-2017-1000115.
>
> You should upgrade your version control clients ASAP to eliminate exposure
> to these bugs. Until you do, be extra cognizant where you pull from -
> especially any operation related to subrepos/submodules.
>
> As of today, hg.mozilla.org is now configured to not allow subrepos and
> symlinks on non-user repos. The main Firefox repos have been audited and no
> "bad" data is present. So, the canonical Firefox repos cannot be used as a
> delivery vehicle for these exploits. I anticipate popular hosting services
> like GitHub and Bitbucket will take similar actions and make similar
> announcements.
>
> Critical version control infrastructure like hg.mozilla.org and Autoland
> has been patched for several days courtesy of responsible early disclosure
> of the vulnerabilities and fixes from the Mercurial Project.
>
> Announcements:
>
> hg: https://www.mercurial-scm.org/pipermail/mercurial/2017-
> August/050522.html
> git: http://marc.info/?l=git&m=150238802328673&w=2
> svn: http://mail-archives.apache.org/mod_mbox/subversion-
> announce/201708.mbox/%3C2fefe468-7d41-11e7-aea1-
> 9312c6089150%40apache.org%3E
>
>
> _______________________________________________
> firefox-dev mailing list
> firefox-dev at mozilla.org
> https://mail.mozilla.org/listinfo/firefox-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/firefox-dev/attachments/20170810/fb8f461f/attachment.html>


More information about the firefox-dev mailing list