CVE-2017-1000115: Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository. CVE-2017-1000116: Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand. Currently we have: hg thg f25 3.8.1 3.8.3(f24) f26 4.2 4.2.1 Mercurial upstream has provided fixed versions 4.3 and 4.2.3. I propose that for f26 we update hg to 4.2.3, and together with thg 4.2.3 (currently latest is 4.2.2) I propose for f25 to similarly update hg and thg to 4.2.3 Another package that requires mercurial and may be affected is hg-git. Thoughts? _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
