Since I upgraded to SourceTree 1.9.5.0, I am frequently reminded to upgrade Mercurial from 3.2.3 to 3.7.3 due to a security vulnerability. I will do that in the near future, but I am interested to know about the nature of the vulnerability.
Asked
Active
Viewed 2,256 times
3
Lajos Arpad
- 64,414
- 37
- 100
- 175
2 Answers
11
I'm having it too.
In SourceTree, go to Tools → Options → Mercurial, and just click the Update Mercurial button. Then restart SourceTree.
Daniel A.A. Pelsmaeker
- 47,471
- 20
- 111
- 157
Leandro H Agostinho
- 131
- 5
-
4The question clearly states that the author is interested in the nature of the vulnerability, not how to update to the newer version. – LordWilmore Jul 21 '16 at 12:27
4
It's rather easy to find out: Look at the mercurial website. If the vulnerability is fixed in 3.7.3 it will be stated there: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29
From the changelog:
CVE-2016-3630 Mercurial: remote code execution in binary delta decoding
Mercurial prior to 3.7.3 contained two bounds-checking errors in its binary delta decoder that may be exploitable via clone, push, or pull.
CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos
Mercurial prior to 3.7.3 allowed URLs for Git subrepos that could result in arbitrary code execution on clone. This is a further side-effect of Git CVE-2015-7545. Reported by Blake Burkhart.
CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos
Mercurial prior to 3.7.3 allowed arbitrary code execution when converting Git repos with hostile names. This could affect automated conversion services. Reported by Blake Burkhart.
planetmaker
- 5,884
- 3
- 28
- 37