SourceTree 更新后,安全警告要求我更新 Mercurial
After SourceTree update a security warning asks me to renew Mercurial
自从我升级到 SourceTree 1.9.5.0 后,由于安全漏洞,我经常被提醒将 Mercurial 从 3.2.3 升级到 3.7.3。我会在不久的将来这样做,但我有兴趣了解漏洞的性质。
我也遇到了
在 SourceTree 中,转到 工具 → 选项 → Mercurial,然后单击更新 Mercurial 按钮。然后重启SourceTree。
很容易找到:查看 mercurial 网站。如果漏洞在 3.7.3 中得到修复,将在此处说明:https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29
来自更新日志:
CVE-2016-3630 Mercurial: remote code execution in binary delta decoding
Mercurial prior to 3.7.3 contained two bounds-checking errors in its binary delta decoder that may be exploitable via clone, push, or pull.
CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos
Mercurial prior to 3.7.3 allowed URLs for Git subrepos that could result in arbitrary code execution on clone. This is a further side-effect of Git CVE-2015-7545. Reported by Blake Burkhart.
CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos
Mercurial prior to 3.7.3 allowed arbitrary code execution when converting Git repos with hostile names. This could affect automated conversion services. Reported by Blake Burkhart.
自从我升级到 SourceTree 1.9.5.0 后,由于安全漏洞,我经常被提醒将 Mercurial 从 3.2.3 升级到 3.7.3。我会在不久的将来这样做,但我有兴趣了解漏洞的性质。
我也遇到了
在 SourceTree 中,转到 工具 → 选项 → Mercurial,然后单击更新 Mercurial 按钮。然后重启SourceTree。
很容易找到:查看 mercurial 网站。如果漏洞在 3.7.3 中得到修复,将在此处说明:https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_3.7.3_.282016-3-29.29
来自更新日志:
CVE-2016-3630 Mercurial: remote code execution in binary delta decoding
Mercurial prior to 3.7.3 contained two bounds-checking errors in its binary delta decoder that may be exploitable via clone, push, or pull.
CVE-2016-3068 Mercurial: arbitrary code execution with Git subrepos
Mercurial prior to 3.7.3 allowed URLs for Git subrepos that could result in arbitrary code execution on clone. This is a further side-effect of Git CVE-2015-7545. Reported by Blake Burkhart.
CVE-2016-3069 Mercurial: arbitrary code execution when converting Git repos
Mercurial prior to 3.7.3 allowed arbitrary code execution when converting Git repos with hostile names. This could affect automated conversion services. Reported by Blake Burkhart.