Security releases for Git, Mercurial, and Subversion

Mike Conley mconley at mozilla.com
Thu Aug 10 19:22:08 UTC 2017


And for the folks using Homebrew, this is the pull request to track to
get the new formula:

https://github.com/Homebrew/homebrew-core/pull/16634

On 2017-08-10 3:18 PM, Ryan VanderMeulen wrote:
> Friendly reminder that for Windows users, you can update Mercurial from
> the MozillaBuild command prompt by running the |pip install -U
> mercurial| command.
> 
> -Ryan
> 
> On Thu, Aug 10, 2017 at 3:10 PM, Gregory Szorc <gps at mozilla.com
> <mailto:gps at mozilla.com>> wrote:
> 
>     Git, Mercurial, and Subversion just had a coordinated release to
>     mitigate a security vulnerability regarding the parsing of ssh://
>     URLs. Essentially, well-crafted ssh:// URLs (e.g. in a subrepo,
>     submodule, or svn:externals references) could lead to local code
>     execution. If you run a command like `git clone
>     --recurse-submodules` or `hg pull --update` and nefarious data is
>     received, you could be p0wned.
> 
>     This is tracked in at least CVE-2017-1000116 and CVE-2017-1000117.
> 
>     In addition, Mercurial issued a security fix for symlink handling
>     that could result in arbitrary filesystem write (attempts) for
>     well-crafted symlinks. This is CVE-2017-1000115.
> 
>     You should upgrade your version control clients ASAP to eliminate
>     exposure to these bugs. Until you do, be extra cognizant where you
>     pull from - especially any operation related to subrepos/submodules.
> 
>     As of today, hg.mozilla.org <http://hg.mozilla.org> is now
>     configured to not allow subrepos and symlinks on non-user repos. The
>     main Firefox repos have been audited and no "bad" data is present.
>     So, the canonical Firefox repos cannot be used as a delivery vehicle
>     for these exploits. I anticipate popular hosting services like
>     GitHub and Bitbucket will take similar actions and make similar
>     announcements.
> 
>     Critical version control infrastructure like hg.mozilla.org
>     <http://hg.mozilla.org> and Autoland has been patched for several
>     days courtesy of responsible early disclosure of the vulnerabilities
>     and fixes from the Mercurial Project.
> 
>     Announcements:
> 
>     hg:
>     https://www.mercurial-scm.org/pipermail/mercurial/2017-August/050522.html
>     <https://www.mercurial-scm.org/pipermail/mercurial/2017-August/050522.html>
>     git: http://marc.info/?l=git&m=150238802328673&w=2
>     <http://marc.info/?l=git&m=150238802328673&w=2>
>     svn:
>     http://mail-archives.apache.org/mod_mbox/subversion-announce/201708.mbox/%3C2fefe468-7d41-11e7-aea1-9312c6089150%40apache.org%3E
>     <http://mail-archives.apache.org/mod_mbox/subversion-announce/201708.mbox/%3C2fefe468-7d41-11e7-aea1-9312c6089150%40apache.org%3E>
> 
> 
>     _______________________________________________
>     firefox-dev mailing list
>     firefox-dev at mozilla.org <mailto:firefox-dev at mozilla.org>
>     https://mail.mozilla.org/listinfo/firefox-dev
>     <https://mail.mozilla.org/listinfo/firefox-dev>
> 
> 
> 
> 
> _______________________________________________
> firefox-dev mailing list
> firefox-dev at mozilla.org
> https://mail.mozilla.org/listinfo/firefox-dev
> 


More information about the firefox-dev mailing list