Vulnerabilities in both Mercurial and Git, on the client-side, have been identified which could allow an attacker to compromise user security on both Mac and Windows file systems.
In git, according to the git-blame blog, the issue is that you could potentially commit and checkout to any permutation of .GIT/<anything>, except.git/<anything>, and end up overwriting it. This is caused by case-insensitive file systems.
This vulnerability could then allow an attacker to compromise your repository because the next time you run git pull you would pull code from a malicious repo. On OSX, there is an additional issue due to certain Unicode codepoints being considered as ignorable.
For Mercurial users the release notes regarding the issue are here.
Having investigated both of these issues today, we are happy to say that neither affects your running instance of RhodeCode Enterprise. But, you should update your Git and Mercurial version on your workstations.
Git Server-Side
On RhodeCode Enterprise server-side there is no issue. The .git/config file is not parsed, as all the configuration and permission settings are managed by RhodeCode Enterprise, and not set in the Git repository.
Mercurial Server-Side
On RhodeCode Enterprise server-side there is also no issue. All the Mercurial configuration and permission settings are managed by RhodeCode Enterprise, and not set using Mercurial.
Client-Side
On your local machine, it is recommended that you update your version of git and/or mercurial. There won’t be an issue with running a different version server-side and you will have secured your local machine against a potential attack using this new vulnerability.
- If you are running Git on Windows, see Git for Windows and upgrade to 1.9.5.
- If you are running Git on Mac, you will need to upgrade your Xcode as well as upgrading Git.
- To upgrade Mercurial on you local system, see the Mercurial download page for instructions.