Upgrading Git/Mercurial in SourceTree for Mac

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Problem

SourceTree version 2.0.4 and later's embedded Git/Mercurial versions address CVE-2014-9390. If you are using system Git/Mercurial please ensure you update them.

Cause

Security vulnerability CVE-2014-9390

Resolution

If you are running SourceTree for Mac version 2.0.3 or earlier here's how fix your Git/Hg versions:

Security vulnerability CVE-2014-9390

SourceTree version 2.0.4 and later's embedded Git/Mercurial versions address CVE-2014-9390. If you are using system Git/Mercurial please ensure you update them.

If you are running SourceTree version 2.0.3 or earlier here's how fix your Git/Hg versions:

Update Git

  1. Download Git version 2.2.1 or later - at the time of writing git-scm.com's download page still links an older binary version for Mac so download from here instead: http://sourceforge.net/projects/git-osx-installer/files/latest/download
  2. Open the Git DMG and run the included install package
  3. Open a fresh terminal and run 'git --version' from the command line and check that it says version 2.2.1. If not, edit ~/.profile or ~/.bash_profile and add to the bottom: "export PATH=/usr/local/git/bin:$PATH", then close & re-open your terminal and repeat the test
  4. Open SourceTree, then press "," to open Preferences
  5. Select the Git tab, then click the 'Use System Git' button - in the Finder window make sure the version in /usr/local/git/bin is selected
  6. The Git Version box should now report 'System Git version 2.2.1'

Update Mercurial

Currently the hgsubversion extension packaged with SourceTree does not work with Mercurial 3.2.3 and must be disabled. This will be addressed in a future update. Disable it before updating to avoid errors:

  1. Open SourceTree, then press "," to open Preferences
  2. Select the Mercurial tab
  3. In the Extensions box, scroll down until you see the hgsubversion line
  4. Uncheck the box & close Preferences

Updating Mercurial:

  1. Download Mercurial version 3.2.3+ for your OS from http://mercurial.selenic.com/downloads
  2. Run the installer
  3. Open a fresh terminal and run 'hg --version', check that it is 3.2.3 or later. If not run 'which hg' and uninstall that version (hg's installer installs in /usr/local/bin so should not be an issue)
  4. Open SourceTree, then press "⌘," to open Preferences
  5. Select the Mercurial tab, then click the 'Use System Mercurial' button
  6. The Git Version box should now report 'System Mercurial version 3.2.3'

You now have versions of Git & Hg on the command line and in SourceTree that are not vulnerable to this issue.

To upgrade the version of Git/Mercurial used in SourceTree you can go to your SourceTree preferences either by hitting ⌘, or via the SourceTree menu > Preferences and going to either the Git and Mercurial tabs. From here you can then go to the 'Git Version' or 'Mercurial Version' boxes respectively and selecting either 'Reset to embedded Git/Hg' or 'Use System Git/Hg'. When selecting 'Use System Git/Hg' you are then prompted to select the location on your system. 

 

 


Last modified on Feb 26, 2016

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.