mercurial upgrade to 4.2.3
Mercurial released a security update for version 4.2.
Upgrade for edge: https://github.com/alpinelinux/aports/pull/2124
https://www.mercurial-scm.org/wiki/WhatsNew\#Mercurial\_4.2.3\_.282017-08-10.29
1.2. CVE-2017-1000115
Mercurial’s symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.
1.3. CVE-2017-1000116
Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks on clients by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed.
(from redmine: issue id 7665, created on 2017-08-11)
- Relations:
- relates #7691 (closed)