The maintainers of the Git and Mercurial open source projects have identified a vulnerability in the Git and Mercurial clients for Macintosh and Windows operating systems that could allow critical files to be overwritten with unwanted files, including executables.
SourceTree for Mac 2.0.4 and SourceTree for Windows 1.6.12 have both been released to address this security vulnerability.
The Mac version includes embedded versions of Git and Mercurial which address the security vulnerability. If you are using system Git or Mercurial please ensure you update your local copies, alternatively you can switch to using embedded versions which are the latest releases of both Git and Mercurial.
EDIT (Mac): Because previously we only supported embedded version 2.2.2 this is a big leap forward for embedded Mercurial. As a result, having hgsubversion enabled will cause errors. To fix this go into your SourceTree preferences by either hitting ⌘, on the keyboard or via the “SourceTree” menu in your toolbar, then browsing to the Mercurial tab. At the bottom of this tab is the “Extensions” section. Ensure “hgsubversion” is unchecked and everything should work again as it should. We will be bringing back support for this extension in a future version of SourceTree.
The Windows version now defaults to download an updated version of Git and Mercurial. To update your embedded version go to the Git and/or Mercurial tabs in Tools > Options and click on “Update Embedded Git” or “Update Embedded Mercurial” respectively.