Mercurial 4.4.1 Released
Augie Fackler
raf at durin42.com
Tue Nov 7 18:29:48 UTC 2017
This is an unscheduled security release to mitigate a publicly reported security flaw in Mercurial.
It is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked in to the repository in Mercurial 4.4 and earlier. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.
Backwards Compatibility Changes
* subrepos now default the Git and Subversion support to off to known security defects in those components. See 'hg help subrepos.config' for more information, including how to re-enable Git and Subversion subrepo support.
Release Notes
* Git and Subversion subrepos have been disabled by default to mitigate a potential security risk if files overlapping with a subrepo managed to be committed to a repository.
* Subrepos are now more paranoid about symlink traversal.
* The share extension handles drive letters on Windows better.
More information about the Mercurial-packaging
mailing list