[Monotone-announce] [ANNOUNCE] Monotone 0.25.2 -- security fix release

[Nathaniel Smith]

Monotone 0.25.2 has been released, and is now available at the usual
place:
  http://venge.net/monotone/
  http://venge.net/monotone/downloads/
Also as usual, binaries will become available as I receive them.

Description
-----------

The only change in this release as compared to 0.25 is a security fix.
In monotone 0.25 and earlier, if a user created a file inside a
directory named "mt", and that file was checked out on a
case-insensitive filesystem, then the file would end up in monotone's
"MT" bookkeeping directory.  This could have a variety of annoying
affects, the most dangerous being the creation of a file
"MT/monotonerc"; any monotone command run inside of the working copy
reads this file, and it may contain arbitrary code written in the Lua
programming language.

The exposure created by this bug is similar to that taken on by a user
who habitually runs 'monotone pull; monotone update; make' without
reviewing changes -- in either case, other committers may cause them
to run arbitrary code on their own computer.  Review of patches,
however, should quickly discover such irregularities.

Bottom line
-----------

If you are using monotone on Windows or OS X, upgrading is
RECOMMENDED.

The following activities are NOT affected by this issue:
  -- running a public monotone server
  -- running monotone on a case-sensitive filesystem (i.e., most unix
     users)
Such users may upgrade or not; it makes little difference.

Trivia
------

Some may be curious why this is 0.25.2, rather than 0.25.1 -- the
reason is that name "0.25.1" was used for a rebuild of the 0.25
windows installer, which was originally built in a way that made it
incompatible with WinNT 4.

-- Nathaniel