Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2264 SourceTree Security Advisory 2017-08-11 7 September 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Atlassian SourceTree Publisher: Atlassian Operating System: OS X Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-1000117 CVE-2017-1000116 CVE-2017-1000115 CVE-2017-9800 Reference: ESB-2017.2073 ESB-2017.2037 ESB-2017.2024 Original Bulletin: https://confluence.atlassian.com/x/c-mdNw - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/c-mdNw . CVE ID: * CVE-2017-1000117 - Git. * CVE-2017-1000115 - Mercurial. * CVE-2017-1000116 - Mercurial. * CVE-2017-9800 - Subversion. Product: SourceTree. Affected SourceTree product versions: * SourceTree for macOS 1.0b2 <= version < 2.6.1 * SourceTree for Windows 0.5.1.0 <= version < 2.1.10 Fixed SourceTree product versions: * Versions of SourceTree for macOS, equal to and above 2.6.1 contain a fix for this issue. * Versions of SourceTree for Windows, equal to and above 2.1.10 contain a fix for this issue. Summary: This advisory discloses critical severity security vulnerabilities which affect SourceTree for macOS and SourceTree for Windows. Versions of SourceTree for macOS starting with 1.0b2 before version 2.6.1 and versions of SourceTree for Windows starting with 0.5.1.0 before version 2.1.10 are affected by this vulnerability. Customers who have upgraded SourceTree for macOS to version 2.6.1 are not affected. Customers who have upgraded SourceTree for Windows to version 2.1.10 are not affected. Customers who have downloaded and installed SourceTree for macOS starting with 1.0b2 before version 2.6.1 or who have downloaded and installed SourceTree for Windows starting with 0.5.1.0 before version 2.1.10 please upgrade your SourceTree for macOS or SourceTree for Windows installations immediately to fix the vulnerabilities mentioned in this advisory. SourceTree for macOS and Windows - Remote Code Execution via Git and Mercurial - Multiple CVEs Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: SourceTree for macOS and Windows are affected by vulnerabilities found in the Git and Mercurial software. This vulnerability can be triggered through a malicious repository when it is checked out using SourceTree. From version 1.4.0 of SourceTree for macOS and 0.8.4b of SourceTree for Windows, this vulnerability can be triggered from a webpage through the use of the SourceTree URI handler. Versions of SourceTree for macOS starting with 1.0b2 before version 2.6.1 and versions of SourceTree for Windows starting with 0.5.1.0 before version 2.1.10 are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/SRCTREE-4904 and for Windows at https://jira.atlassian.com/browse/SRCTREEWIN-7663. Remediation: Upgrade SourceTree for macOS to version 2.6.1 or higher. Please note that since SourceTree for Mac 2.5.0 OSX 10.11 or later is required. Upgrade SourceTree for Windows to version 2.1.10 or higher. You can download the latest version of SourceTree from https://www.sourcetreeapp.com/ . Support: Atlassian supports SourceTree through the Atlassian Community. If you have questions or concerns regarding this advisory, go to https://community.atlassian.com/t5/SourceTree/ct-p/sourcetree . - -----BEGIN PGP SIGNATURE----- iQI0BAEBCgAeBQJZr1kdFxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8 Unag+WgP/3IIGyB+oShEgGGmRaSUsT9bA2Vqis/0i9nr/I//f5XACt897M+THELj 2S+ZD9RiALjkCD5Hq2wvTvs42KWt34+ImKQutI8FqnMf96cIszPhuhwurd7NdcX8 hhfZbVx1RZra7wKK2FbyC64VlxlYKHcNOvpTyDHAuki5bhBFkwLI0hf8vXWNPYZg w6i6EzLC+QQNoEO5qb+NURuAImWt2tGQWsskLMbwlJIdrqsqQ3TrjUvKAgvRfkUn 1H8cCDArA1HpQKz6peI32NeuvC2WcI3Zc7sKP7qDW/pNRk0iIDkRlJ8AlRMEu/LD DgpJVhpVmDkdWHCy4SRN9Was3mRnaL9uZxsY6GUH2wi8Nt4/3JKJKsbG+MhmY762 B/NLuUA78mqDos6I0KxCjluhPOeFKv8W/BGkexLEjAoV2c348Fy5+X1S4vdoGlq+ +z7zyCUf3fsi6iz/Nt1C3vY/q76m1hL1VI5HX3btizwLOenUof6RDt6jTBzaA+zS xt6YpwB1K+P2Lv32ChGFjAtAUljqoIqWK6brJljxHM5ey24hnovYYBJq8DI/xKPr 6EDGLAseEHldKy+8nAJ4BHgDWYco5jx0++GaHzLQTW/1VLn3uAXDK4MGJPcsLYQ6 WIlV192qlMUMPk53X3kAYNQG7t2EevWKn960hR8s/bwCm3Pvuvbi =l639 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWbDvWIx+lLeg9Ub1AQjLPQ/+JG0IRioqLlMUmzX7890h8BjPU00jQWSY dD8lJJRRyq91iulgY9orqZ1ddNsAOjTpjqPfP/KsQaCuN/KJgOVC6L8uCJt2grCZ iTfr4bC07jpUADLOFrUybizeUqml/ySqpiVQUbFoVGFKqWkeCOm0ropkYkj8xTZd deFv8dFA5T9Vo3gQTPf7lQsK5Y0gpjZzGduSqXBOC309DMCnpBCPOpXtpenuUz9P hdMe60iBTZkXVZt2MVMKh269iMtXLhMB1ZqnhIZZjPJ0a6V7FT1TLb4ktJs/fv7i iVZl6d4ReL5un+kzu9I8T4aVHWpNib0I5s6p92/j4TuwwcwkHq7py+AWp+6ZpC8d YfCVz98WTExBP+iuO9HinGOKCEzZ5PW7zA8SSc1+7I0E+p/1dBa96sXZXwBbGkMw kTa/iB73pgl3bMCxlKcfWL/WDyWEXpGpOosLc0PUzQFtgE2K0x5hQy7hQwReYrna 3+8jbybM6gDyLlZTx5be5NYPqBlmCOPlOTwFUm/miBj1R919raayAY89f0+Pehy4 2TMtn7wzJeMGhMY6hqA4X5AeNMp1T3O1JmzgrMZ1WYbyX2/OKnmudisGhvTUPz/3 vSEldVEjYMUApy4JhtXwKZNrpQVeoo5dG2JXiFZKON2ZIrTE60Lwh1pGh5gf1Ay2 27LjSfL0pFg= =+XiJ -----END PGP SIGNATURE-----