Security releases for Git, Mercurial, and Subversion

Ryan VanderMeulen rvandermeulen at
Thu Aug 10 19:18:29 UTC 2017

Friendly reminder that for Windows users, you can update Mercurial from the
MozillaBuild command prompt by running the |pip install -U mercurial|


On Thu, Aug 10, 2017 at 3:10 PM, Gregory Szorc <gps at> wrote:

> Git, Mercurial, and Subversion just had a coordinated release to mitigate
> a security vulnerability regarding the parsing of ssh:// URLs. Essentially,
> well-crafted ssh:// URLs (e.g. in a subrepo, submodule, or svn:externals
> references) could lead to local code execution. If you run a command like
> `git clone --recurse-submodules` or `hg pull --update` and nefarious data
> is received, you could be p0wned.
> This is tracked in at least CVE-2017-1000116 and CVE-2017-1000117.
> In addition, Mercurial issued a security fix for symlink handling that
> could result in arbitrary filesystem write (attempts) for well-crafted
> symlinks. This is CVE-2017-1000115.
> You should upgrade your version control clients ASAP to eliminate exposure
> to these bugs. Until you do, be extra cognizant where you pull from -
> especially any operation related to subrepos/submodules.
> As of today, is now configured to not allow subrepos and
> symlinks on non-user repos. The main Firefox repos have been audited and no
> "bad" data is present. So, the canonical Firefox repos cannot be used as a
> delivery vehicle for these exploits. I anticipate popular hosting services
> like GitHub and Bitbucket will take similar actions and make similar
> announcements.
> Critical version control infrastructure like and Autoland
> has been patched for several days courtesy of responsible early disclosure
> of the vulnerabilities and fixes from the Mercurial Project.
> Announcements:
> hg:
> August/050522.html
> git:
> svn:
> announce/201708.mbox/%3C2fefe468-7d41-11e7-aea1-
> _______________________________________________
> firefox-dev mailing list
> firefox-dev at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the firefox-dev mailing list