Summary of changes from August 5, 2017 to August 11, 2017.
| Codebase | Repository | {icon lock} | HEAD | Activity |
|----------|------------|--|------|----------|
| Phabricator | rP | | rP45b0fd8f9b | 25 commits |
| Arcanist | rARC | | rARC5eda4033 | 0 commits |
| libphutil | rPHU | | rPHU276f6d3 | 1 commit |
| Instances (SAAS) | rSAAS | {icon lock} | rSAAS84a242a | 21 commits |
| Services (SAAS) | rSERVICES | {icon lock} | rSERVICES08219d6 | 0 commits |
| Core (SAAS) | rCORE | {icon lock} | rCORE2e472df | 0 commits |
- These changes were promoted to `stable`.
General
=======
IMPORTANT: This release contains a major security fix.
All of Git, Mercurial and Subversion were vulnerable to an issue with mishandling of SSH URIs, until simultaneous releases on August 10th, 2017. This vulnerability could lead to arbitrary code execution.
You should upgrade Phabricator, Git, Mercurial, and Subversion on the server, and Git, Mercurial and Subversion on all clients, immediately.
For additional discussion, see T12961.
Security
========
- See "General" for an information on a major security issue.
Migrations
==========
- //No migrations in this period.//
Upgrading / Compatibility
=========================
- Phabricator no longer populates or updates Mercurial working copies for observed repositories. This is a partial mitigation for the security issue mentioned above. If you relied on Phabricator to maintain a working copy for you, you'll need to find a different strategy. Phabricator has not populated or updated working copies for //hosted// Mercurial repositories for at least several years.
- Removed obsolete `bin/files purge` workflow.
Minor
=====
- Fixed an issue where dates prior to 1970 could hang in Javascript.
- The "Rejected Older Diff" reviewer icon is now red, not grey.