-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
SourceTree Security Advisory 2017-08-11
7 September 2017
AusCERT Security Bulletin Summary
Product: Atlassian SourceTree
Operating System: OS X
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
CVE Names: CVE-2017-1000117 CVE-2017-1000116 CVE-2017-1000115
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
This email refers to the advisory found at
* CVE-2017-1000117 - Git.
* CVE-2017-1000115 - Mercurial.
* CVE-2017-1000116 - Mercurial.
* CVE-2017-9800 - Subversion.
Affected SourceTree product versions:
* SourceTree for macOS 1.0b2 <= version < 2.6.1
* SourceTree for Windows 0.5.1.0 <= version < 2.1.10
Fixed SourceTree product versions:
* Versions of SourceTree for macOS, equal to and above 2.6.1 contain a
fix for this issue.
* Versions of SourceTree for Windows, equal to and above 2.1.10
contain a fix for this issue.
This advisory discloses critical severity security vulnerabilities
which affect SourceTree for macOS and SourceTree for Windows. Versions
of SourceTree for macOS starting with 1.0b2 before version 2.6.1 and
versions of SourceTree for Windows starting with 0.5.1.0 before
version 2.1.10 are affected by this vulnerability.
Customers who have upgraded SourceTree for macOS to version 2.6.1 are
Customers who have upgraded SourceTree for Windows to version 2.1.10
are not affected.
Customers who have downloaded and installed SourceTree for macOS
starting with 1.0b2 before version 2.6.1 or who have downloaded and
installed SourceTree for Windows starting with 0.5.1.0 before version
2.1.10 please upgrade your SourceTree for macOS or SourceTree for
Windows installations immediately to fix the vulnerabilities mentioned
in this advisory.
SourceTree for macOS and Windows - Remote Code Execution via Git and
Mercurial - Multiple CVEs
Atlassian rates the severity level of this vulnerability as critical,
according to the scale published in our Atlassian severity levels. The
scale allows us to rank the severity as critical, high, moderate or
This is our assessment and you should evaluate its applicability to
your own IT environment.
SourceTree for macOS and Windows are affected by vulnerabilities found
in the Git and Mercurial software. This vulnerability can be triggered
through a malicious repository when it is checked out using
SourceTree. From version 1.4.0 of SourceTree for macOS and 0.8.4b of
SourceTree for Windows, this vulnerability can be triggered from a
webpage through the use of the SourceTree URI handler.
Versions of SourceTree for macOS starting with 1.0b2 before version
2.6.1 and versions of SourceTree for Windows starting with 0.5.1.0
before version 2.1.10 are affected by this vulnerability. This issue
can be tracked at: https://jira.atlassian.com/browse/SRCTREE-4904 and
for Windows at https://jira.atlassian.com/browse/SRCTREEWIN-7663.
Upgrade SourceTree for macOS to version 2.6.1 or higher. Please note
that since SourceTree for Mac 2.5.0 OSX 10.11 or later is required.
Upgrade SourceTree for Windows to version 2.1.10 or higher.
You can download the latest version of SourceTree from
Atlassian supports SourceTree through the Atlassian Community. If you
have questions or concerns regarding this advisory, go to
- -----BEGIN PGP SIGNATURE-----
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----