Security Warning (Git,Mercurial,SVN)

Reading Time: 2 minutes

Git, Mercurial and SVN recently released fixes for vulnerabilities in their client-side applications that could lead to remote code execution on the victims machine:

If you are using Git, Mercurial and/or SVN, it is strongly recommended that you upgrade to the latest versions to ensure that you are protected from these vulnerabilities.

As some of our products use Git, Mercurial and/or SVN, our security team has investigated the impact of these vulnerabilities to our products. Products outside of those mentioned below are not impacted and no further action is required.

SourceTree

SourceTree for macOS and Windows that are configured to use Git and/or Mercurial are impacted by these vulnerabilities. We have released two new versions of SourceTree to protect our customers against these vulnerabilities — Windows customers can now update to version 2.1.10 (or higher), and macOS customers can now update to version 2.6.1 (or higher).

If you would like more information about the SourceTree vulnerability, please read our security advisory.

Bamboo

Bamboo instances that are configured to use Git and/or Mercurial are impacted by these vulnerabilities. Bamboo does not come with Git and/or Mercurial installed by default, however if you have configured your Bamboo Instance to use Git and/or Mercurial, it is strongly recommended that you upgrade to the latest versions to ensure that you are protected from these vulnerabilities. Bamboo Instances are not impacted by the SVN vulnerability.

In addition, Bamboo Agents that have vulnerable versions of Git, Mercurial and/or SVN installed are potentially vulnerable to malicious Bamboo build plans and should also have their versions updated.

FishEye/Crucible

FishEye/Crucible instances that are configured to use Git and/or Mercurial are impacted by these vulnerabilities. FishEye/Crucible does not come with Git and/or Mercurial installed by default, however if you have configured your FishEye/Crucible Instance to use Git and/or Mercurial, it is strongly recommended that you upgrade to the latest versions to ensure that you are protected from these vulnerabilities.

FishEye/Crucible is not impacted by the SVN vulnerability.

Bitbucket Server

Bitbucket Server is not affected by the Git, Mercurial or SVN issues mentioned on this page as Bitbucket Server does not invoke any of these applications in a malicious way, however it is possible that a third-party plugin is vulnerable and so it is recommended that all installed versions of Git, Mercurial and/or SVN should be updated to non-vulnerable versions.