Per https://nvd.nist.gov/vuln/detail/CVE-2017-8768 the vulnerability is in the custom URL command handler.
I had 1.9.13 installed (on Windows 10), and then installed 18.104.22.168.
So the dangerous custom url handler still runs, and still loads the vulnerable v1.9.x despite the installation of v22.214.171.124.
Unless you manually uninstall 1.x, it seems that this vulnerability still exists!
I hope this is just something unusual with my setup, but I've tried un-installing and re-installing 126.96.36.199 and the same issue persists,
The security warning email and page say:
"Customers who have upgraded to SourceTree for Mac version 2.5.1 or SourceTree for Windows version 188.8.131.52 are not affected."
This does not appear to be true. To be true it would need to add "and have manually uninstalled all 1.x".
Some comments on the limited attempts made to notify the user:
To test this for yourself:
1. Create a new html file with contents such as:
<html> <head> </head> <body> <a href="sourcetree://vulnerability">Is this still vulnerable</a> </body> </html>
2. Open the html file in a browser and click the link. If SourceTree 1.9.x opens you are likely still vulnerable
I realise SourceTree is free and you are presumably under lots of pressure over the last few days, so I do want to say thanks for the hard work and I hope these issues can be resolved quickly.
I don't believe anything in this discusses security issues that are not already in the public domain (or trivially related to it). If you disagree, please feel free to remove this comment and point me at your security contact.
Supported Platforms macOS Windows To make using Sourcetree as simple yet powerful as possible we embed (bundle) dependencies such as Git, Git LFS, and Mercurial. We strive to keep these...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs