-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/jW2xNQ . CVE ID: * CVE-2017-8768. Product: SourceTree. Affected SourceTree product versions: * SourceTree for Mac 1.4.0 <= version < 2.5.1 * SourceTree for Windows 0.8.4b <= version < 2.0.20.1 Fixed SourceTree product versions: * Versions of SourceTree for Mac equal to and above 2.5.1 contain a fix for this issue. * Versions of SourceTree for Windows equal to and above 2.0.20.1 contain a fix for this issue. Summary: This advisory discloses a critical security vulnerability in versions of SourceTree for Mac starting with 1.4.0 but before 2.5.1 and SourceTree for Windows starting with 0.8.4b but before 2.0.20.1. Customers who have upgraded SourceTree for Mac to version 2.5.1 are not affected. Customers who have upgraded SourceTree for Windows to version 2.0.20.1 are not affected. Customers who have downloaded and installed SourceTree for Mac starting with 1.4.0 but before 2.5.1 (the fixed version for 2.5.x) or who have downloaded and installed SourceTree for Windows starting with 0.8.4b but before 2.0.20.1 (the fixed version for 2.0.x) please upgrade SourceTree to the latest version to fix this vulnerability. Command Injection - CVE-2017-8768: Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: SourceTree for Mac and Windows are affected by a command injection vulnerability in URI handling. The vulnerability can be triggered through a browser or the SourceTree interface. Versions of SourceTree for Mac starting with 1.4.0 but before 2.5.1 and versions of SourceTree for Windows starting with 0.8.4b but before 2.0.20.1 are affected by this vulnerability. The issue for SourceTree for Mac can found at https://jira.atlassian.com/browse/SRCTREE-4738 and for SourceTree for Windows at https://jira.atlassian.com/browse/SRCTREEWIN-7161 . Remediation: Upgrade SourceTree for Mac to version 2.5.1 or higher. Please note that since SourceTree for Mac 2.5.0 Mac OSX 10.11 or later is required. Upgrade SourceTree for Windows to version 2.0.20.1 or higher. For a full description of the latest version of SourceTree, see the release notes for Mac (https://www.sourcetreeapp.com/update/releasenotes/2.5.1.html) and for Windows (https://www.sourcetreeapp.com/update/windows/ga/ReleaseNotes_2.0.20.1.html). You can download the latest version of SourceTree from https://www.sourcetreeapp.com/. Acknowledgements: Atlassian would like to credit Yu Hong for reporting this issue to us. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. -----BEGIN PGP SIGNATURE----- iQI0BAEBCgAeBQJZIjG8FxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8 UnagzUMP/3XEe8+JeEWgMl4WIeIrVju3cVtZpCLA2Jbo0t+3JEsU48D+hagzWLD4 5yWlqbZWYyFW3UG4IIxfx14uzUm/0acXJGCdp6c9LhppG+AtXdm631NOgzlq756x Hp2XEdf2WCyHXd7X3xzRTkd9INbY6fCERox9hBiygc13re5lZpuX70rkiH4rCOL0 k5yrB4O4MyqyZ277j2wx5I1bbFmkaPAFUZq/H3Uz72/UnZiIPTx7NqtCu54MXdhN P4KoPf5bkD+OlRj1sblFiK6DeYif+kVKTgbmBoAHNrg85f/V9tGUF0a+/86Xx/CY EJBTJs15FcDzC71uePPwocSRuqMPytSZ/eJZtazE5BnreBE4YVjsGiN3h6g5aJ9w gfoGNAzzPX38E2vbJkXoqSsMbxplOlTbR95HSvIrjcTVU0pntoJ0HAmPGoDkV99T +gFqQpii1X4j8s6L6sKNC/wW3SWlySSDOrgl808jf2GY4M7lyF8pEj/Z7PRit548 Y7o/w3YYXWrc+6cZPmc0swatgx2fSjevc+FFdUFcPxvXJFSF96kvrnolQ+8Iwx7o 653//P/BkS59TTm7/C6svMI///GPEVHCAQ9XtD9hvupbtyO2h80M6x2FjStZh9Di F7FbG9uhc1ErReBpQZ9Cw6NDkIbT21trGw4eANEWvfULOrD1o/Tu =+LUZ -----END PGP SIGNATURE-----