You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
Per https://nvd.nist.gov/vuln/detail/CVE-2017-8768 the vulnerability is in the custom URL command handler.
I had 1.9.13 installed (on Windows 10), and then installed 22.214.171.124.
So the dangerous custom url handler still runs, and still loads the vulnerable v1.9.x despite the installation of v126.96.36.199.
Unless you manually uninstall 1.x, it seems that this vulnerability still exists!
I hope this is just something unusual with my setup, but I've tried un-installing and re-installing 188.8.131.52 and the same issue persists,
The security warning email and page say:
"Customers who have upgraded to SourceTree for Mac version 2.5.1 or SourceTree for Windows version 184.108.40.206 are not affected."
This does not appear to be true. To be true it would need to add "and have manually uninstalled all 1.x".
Some comments on the limited attempts made to notify the user:
To test this for yourself:
1. Create a new html file with contents such as:
<html> <head> </head> <body> <a href="sourcetree://vulnerability">Is this still vulnerable</a> </body> </html>
2. Open the html file in a browser and click the link. If SourceTree 1.9.x opens you are likely still vulnerable
I realise SourceTree is free and you are presumably under lots of pressure over the last few days, so I do want to say thanks for the hard work and I hope these issues can be resolved quickly.
I don't believe anything in this discusses security issues that are not already in the public domain (or trivially related to it). If you disagree, please feel free to remove this comment and point me at your security contact.