We, the monotone team, have just released version 0.48.1 of our version control system.
This release contains an important security bugfix amongst minor other changes: monotone servers that have remote command execution enabled can be crashed if the client sends an empty command string to the server. If you have this feature enabled, we urge you to update your servers to the new version. Distributions should hopefully provide new packages soon as well.
If you cannot update for some reason and do not want to deactivate the feature completely, you can also simply place the following workaround in your server’s monotonerc:
function get_remote_automate_permitted(key, command, opts)
if command[1] == “” then
return false
end
—
— remaining configuration …
—
end
The new version can be downloaded at the usual place. Binaries are posted as they come in.
Update: monotone’s NEWS entry doesn’t make it clear which versions are affected by this vulnerability. Since remote command execution became available in 0.46, the affected versions are 0.46, 0.47 and 0.48.