After SourceTree update a security warning asks me to renew Mercurial
Since I upgraded to SourceTree 1.9.5.0, I am frequently reminded to upgrade Mercurial from 3.2.3 to 3.7.3 due to a security vulnerability. I will do that in the near future, but I am interested to know about the nature of the vulnerability.
It's rather easy to find out: Look at the mercurial website. If the vulnerability is fixed in 3.7.3 it will be stated there: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29
From the changelog:
CVE-2016-3630 Mercurial: remote code execution in binary delta decoding
Mercurial prior to 3.7.3 contained two bounds-checking errors in its binary delta decoder that may be exploitable via clone, push, or pull.
CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos
Mercurial prior to 3.7.3 allowed URLs for Git subrepos that could result in arbitrary code execution on clone. This is a further side-effect of Git CVE-2015-7545. Reported by Blake Burkhart.
CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos
Mercurial prior to 3.7.3 allowed arbitrary code execution when converting Git repos with hostile names. This could affect automated conversion services. Reported by Blake Burkhart.
- Why can't a malicious site obtain a CSRF token via GET before attacking?
- Resource of Cost of Declaring Variables and Scope
- SQL Server returns error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'." in Windows application
- github Dependabot alert: Inefficient Regular Expression Complexity in nth-check
- Storing passwords to login to third party APIs
- How to best utilize ASP .NET Membership database?
- how to secure my website
- Understanding CSRF
- REST API from mobile app - Does securing the first call with a CAPTCHA make sense?
- How to disable access security notice "A Potential security concern has been identified"
- Addressing critical vulnerabilities in Maven dependencies
- IDX10503: Signature validation failed. Token does not have a kid. Keys tried: 'System.Text.StringBuilder'
- How can I obtain the user's Logon Session SID (e.g. S-1-5-5-X-Y) or otherwise verify RMF SC-23 Unique Identifiers in Windows
- Is it secure to store passwords as environment variables (rather than as plain text) in config files?
- How can I skip old vulnerabilities and break only with new ones using Snyk scan on Azure DevSecOps?
- Generating a random password in php
- Access token and Refresh token best practices ? How to implement Access & Refresh Tokens
- Securely storing an access token
- Why does angular add ng-version attribute to the app-root html tag
- How to properly handle secrets in a local.settings.json file when adding the function source code to a source control repository
- Conditional Column-level permissions in PostgreSQL
- Embedding youtube video "Refused to display document because display forbidden by X-Frame-Options"
- How can I prevent SQL injection in PHP?
- IFrame security and CORS
- Should I impose a maximum length on passwords?
- <app> would like to access data from other apps - macOS Sonoma
- SELinux syntax error when optional is used inside a tunable_policy macro
- Generate cryptographically secure random numbers in php
- How to get through security error pages in the Firefox web browser?
- How to handle cookies securely during the REST API call in SWIFT 3 or 4?