Atlassian update for Git and Mercurial vulnerability
By Kieran Senior on December 18, 2014The maintainers of the Git and Mercurial open source projects have identified a vulnerability in the Git and Mercurial clients for Macintosh and Windows operating systems that could allow critical files to be overwritten with unwanted files, including executables.
SourceTree users should update their Git client with one of the published Git maintenance releases (1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) or Mercurial client with the latest release.
UPDATE
SourceTree for Mac 2.0.4 and SourceTree for Windows 1.6.12 have both been released to address this security vulnerability.
The Mac version includes embedded versions of Git and Mercurial which address the security vulnerability. If you are using system Git or Mercurial please ensure you update your local copies, alternatively you can switch to using embedded versions which are the latest releases of both Git and Mercurial.
EDIT (Mac): Because previously we only supported embedded version 2.2.2 this is a big leap forward for embedded Mercurial. As a result, having hgsubversion enabled will cause errors. To fix this go into your SourceTree preferences by either hitting ⌘, on the keyboard or via the “SourceTree” menu in your toolbar, then browsing to the Mercurial tab. At the bottom of this tab is the “Extensions” section. Ensure “hgsubversion” is unchecked and everything should work again as it should. We will be bringing back support for this extension in a future version of SourceTree.
The Windows version now defaults to download an updated version of Git and Mercurial. To update your embedded version go to the Git and/or Mercurial tabs in Tools > Options and click on “Update Embedded Git” or “Update Embedded Mercurial” respectively.
13 Comments
Any chance we’ll see a SourceTree 1.8.2 patch (for the rest of us still using the last sane version of SourceTree)?
Hey Ben,
We don’t usually support previous major versions like this, primarily because our build environment changes so drastically, especially for an older version like 1.8.2. You can just switch to using a system Git version that fixes the issue though and not rely on the embedded Git.
Cheers
Is the CVE-2014-9390 fix the only (intended) update in Mac SourceTree 2.0.4?
It’s got some user interface regressions, too, so if the capitalization bug is the only thing I’m missing out on (not an issue for me, since I only work with trusted repositories), then I’ll downgrade back to 2.0.3.
Hey there,
The release notes available from the SourceTree menu show what was fixed in each version.
Cheers
Thanks! Looks like I’m good to go back to 2.0.3 for now.
I must have missed that menu because 2.0.4 is missing all the menubar nibs! 🙂
2.0.5. for mac crashes on start reproducible … is there a 2.0.4-Version?
Hey spieler,
Could we get a crash report to figure out what’s going on? Sure, you can get 2.0.4 from http://downloads.atlassian.com/software/sourcetree/SourceTree_2.0.4.dmg
Cheers
No problem. Where should i send it to?
You can either post it on a pasteboard and link us to it here, or attach it to a JIRA issue over at jira.atlassian.com (project SRCTREE).
Cheers
https://www.dropbox.com/s/1ica3pyish1q1x2/crash-Sourcetree.txt?dl=0
2.0.4 works. Thx for your fast reply!
Hey spieler,
I’ve just issued a fix (2.0.5.2) which should fix the problem you were experiencing. If you try and upgrade now you shouldn’t get any problems. If not, just let me know.
Cheers
Fixed! Thxalot!