Mercurial 4.4.1 Released

Augie Fackler raf at durin42.com
Tue Nov 7 18:29:48 UTC 2017


This is an unscheduled security release to mitigate a publicly reported security flaw in Mercurial. 

It is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked in to the repository in Mercurial 4.4 and earlier. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.

Backwards Compatibility Changes
 * subrepos now default the Git and Subversion support to off to known security defects in those components. See 'hg help subrepos.config' for more information, including how to re-enable Git and Subversion subrepo support.

Release Notes

 * Git and Subversion subrepos have been disabled by default to mitigate a potential security risk if files overlapping with a subrepo managed to be committed to a repository.

 * Subrepos are now more paranoid about symlink traversal.

 * The share extension handles drive letters on Windows better.



More information about the Mercurial-packaging mailing list