Atlassian update for Git and Mercurial vulnerability

By on December 18, 2014

The maintainers of the Git and Mercurial open source projects have identified a vulnerability in the Git and Mercurial clients for Macintosh and Windows operating systems that could allow critical files to be overwritten with unwanted files, including executables.

SourceTree users should update their Git client with one of the published Git maintenance releases (, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) or Mercurial client with the latest release.


SourceTree for Mac 2.0.4 and SourceTree for Windows 1.6.12 have both been released to address this security vulnerability.

The Mac version includes embedded versions of Git and Mercurial which address the security vulnerability. If you are using system Git or Mercurial please ensure you update your local copies, alternatively you can switch to using embedded versions which are the latest releases of both Git and Mercurial.

EDIT (Mac): Because previously we only supported embedded version 2.2.2 this is a big leap forward for embedded Mercurial. As a result, having hgsubversion enabled will cause errors. To fix this go into your SourceTree preferences by either hitting ⌘, on the keyboard or via the “SourceTree” menu in your toolbar, then browsing to the Mercurial tab. At the bottom of this tab is the “Extensions” section. Ensure “hgsubversion” is unchecked and everything should work again as it should. We will be bringing back support for this extension in a future version of SourceTree.

The Windows version now defaults to download an updated version of Git and Mercurial. To update your embedded version go to the Git and/or Mercurial tabs in Tools > Options and click on “Update Embedded Git” or “Update Embedded Mercurial” respectively.

update embedded git


  • Posted December 20, 2014 at 4:11 pm | Permalink

    Any chance we’ll see a SourceTree 1.8.2 patch (for the rest of us still using the last sane version of SourceTree)?

    • Posted December 22, 2014 at 12:54 am | Permalink

      Hey Ben,

      We don’t usually support previous major versions like this, primarily because our build environment changes so drastically, especially for an older version like 1.8.2. You can just switch to using a system Git version that fixes the issue though and not rely on the embedded Git.


  • Guest
    Posted February 2, 2015 at 2:41 pm | Permalink

    Is the CVE-2014-9390 fix the only (intended) update in Mac SourceTree 2.0.4?

    It’s got some user interface regressions, too, so if the capitalization bug is the only thing I’m missing out on (not an issue for me, since I only work with trusted repositories), then I’ll downgrade back to 2.0.3.

    • Posted February 3, 2015 at 5:57 am | Permalink

      Hey there,

      The release notes available from the SourceTree menu show what was fixed in each version.


      • Guest
        Posted February 3, 2015 at 10:29 am | Permalink

        Thanks! Looks like I’m good to go back to 2.0.3 for now.

        I must have missed that menu because 2.0.4 is missing all the menubar nibs! 🙂

  • spieler
    Posted February 3, 2015 at 5:46 am | Permalink

    2.0.5. for mac crashes on start reproducible … is there a 2.0.4-Version?