Hi Neal, I missed that you wrote already here as I was working on fixes for these CVEs for RHEL. I have pushed updates for F25+ already into the dist-git (builds are pending for testing now). Except thg, which was completely outside of my scope.
Just info for others:
hg for F26+ is rebased to v4.2.3
F25 contains backported patch
On 10.8.2017 20:30, Neal Becker wrote:
> CVE-2017-1000115:
>
> Mercurial's symlink auditing was incomplete prior to 4.3, and could be
> abused to write to files outside the repository.
>
> CVE-2017-1000116:
>
> Mercurial was not sanitizing hostnames passed to ssh, allowing shell
> injection attacks by specifying a hostname starting with -oProxyCommand.
>
> Currently we have:
>
> hg thg
> f25 3.8.1 3.8.3(f24)
> f26 4.2 4.2.1
>
> Mercurial upstream has provided fixed versions 4.3 and 4.2.3.
>
> I propose that for f26 we update hg to 4.2.3, and together with thg 4.2.3
> (currently latest is 4.2.2)
>
> I propose for f25 to similarly update hg and thg to 4.2.3
>
> Another package that requires mercurial and may be affected is hg-git.
The hg-git shouldn't be affected by changes from 4.2.1 to 4.2.3.
(It is broken for mercurial-4.3+, but some patches are already prepared in
upstream.)
--
Petr Stodulka
Core Services (In-place upgrades and migrations)
IRC nicks: pstodulk, skytak
Red Hat
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
