DevHeads.net

mercurial CVEs - plan for f25 and f26 updates

Mercurial's symlink auditing was incomplete prior to 4.3, and could be
abused to write to files outside the repository.

CVE-2017-1000116:

Mercurial was not sanitizing hostnames passed to ssh, allowing shell
injection attacks by specifying a hostname starting with -oProxyCommand.

Currently we have:

hg thg
f25 3.8.1 3.8.3(f24)
f26 4.2 4.2.1

Mercurial upstream has provided fixed versions 4.3 and 4.2.3.

I propose that for f26 we update hg to 4.2.3, and together with thg 4.2.3
(currently latest is 4.2.2)

I propose for f25 to similarly update hg and thg to 4.2.3

Another package that requires mercurial and may be affected is hg-git.

Thoughts?