Augie Fackler

**Name of the Vulnerable Software and Affected Versions** Mercurial versions prior to 4.6.1 **Description** The issue is related to the `mpatch decode` function in Mercurial, which mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not. This can be exploited by a remote attacker to impact data integrity. **Recommendations** For Mercurial versions prior to 4.6.1, update to version 4.6.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `mpatch decode` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Git versions 1.8.5.6 and earlier, 1.9.x through 1.9.4, 2.0.x through 2.0.4, 2.1.x through 2.1.3, and 2.2.x through 2.2.0 Mercurial versions prior to 3.2.3 Apple Xcode versions prior to 6.2 beta 3 mine versions prior to 08-12-2014 libgit2 versions up to 0.21.2 Egit versions prior to 08-12-2014 JGit versions prior to 08-12-2014 **Description** The issue allows remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem. **Recommendations** For Git versions 1.8.5.6 and earlier, 1.9.x through 1.9.4, 2.0.x through 2.0.4, 2.1.x through 2.1.3, and 2.2.x through 2.2.0, update to a version later than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4, or 2.2.1 respectively. For Mercurial versions prior to 3.2.3, update to version 3.2.3 or later. For Apple Xcode versions prior to 6.2 beta 3, update to version 6.2 beta 3 or later. For mine versions prior to 08-12-2014, update to a version released after 08-12-2014. For libgit2 versions up to 0.21.2, update to a version later than 0.21.2. For Egit versions prior to 08-12-2014, update to a version released after 08-12-2014. For JGit versions prior to 08-12-2014, update to a version released after 08-12-2014.