Mercurial 4.5.2 tagged
Kevin Bullock
kbullock at ringworld.org
Tue Mar 6 19:51:01 UTC 2018
Please update your package builds, thanks.
Multiple security vulnerabilities in Mercurial's HTTP wire protocol interface were fixed in this release:
* Not all commands would deny access if the repository was configured to not allow read access.
* The "batch" command did not check permissions of sub-commands, thus allowing permissions bypass to access and modify some repository data. Servers could have their bookmarks, phases, and obsolescence markers updated by any client that was able to trigger server processing of the "batch" command.
Note that the tag and signature are only in hg-committed right now -- this is due to a known bug in our new patch acceptance process and will be fixed at some point. The tag and signature should land in main within the next hour or two.
pacem in terris / Ð¼Ð¸Ñ / शानà¥à¤¤à¤¿ / ââ«Ø³ÙÙاÙÙ
⬠/ å¹³å
Kevin R. Bullock
More information about the Mercurial-packaging
mailing list