Per https://nvd.nist.gov/vuln/detail/CVE-2017-8768 the vulnerability is in the custom URL command handler.
I had 1.9.13 installed (on Windows 10), and then installed 126.96.36.199.
So the dangerous custom url handler still runs, and still loads the vulnerable v1.9.x despite the installation of v188.8.131.52.
Unless you manually uninstall 1.x, it seems that this vulnerability still exists!
I hope this is just something unusual with my setup, but I've tried un-installing and re-installing 184.108.40.206 and the same issue persists,
The security warning email and page say:
"Customers who have upgraded to SourceTree for Mac version 2.5.1 or SourceTree for Windows version 220.127.116.11 are not affected."
This does not appear to be true. To be true it would need to add "and have manually uninstalled all 1.x".
Some comments on the limited attempts made to notify the user:
To test this for yourself:
1. Create a new html file with contents such as:
<html> <head> </head> <body> <a href="sourcetree://vulnerability">Is this still vulnerable</a> </body> </html>
2. Open the html file in a browser and click the link. If SourceTree 1.9.x opens you are likely still vulnerable
I realise SourceTree is free and you are presumably under lots of pressure over the last few days, so I do want to say thanks for the hard work and I hope these issues can be resolved quickly.
I don't believe anything in this discusses security issues that are not already in the public domain (or trivially related to it). If you disagree, please feel free to remove this comment and point me at your security contact.
Supported Platforms macOS Windows We recently introduced support for additional hosting services such as GitHub Enterprise, GitLab (Cloud, Community Edition, Enterprise Edition), and...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events