Mercurial 4.5.2 tagged

Kevin Bullock kbullock at ringworld.org
Tue Mar 6 19:51:01 UTC 2018


Please update your package builds, thanks.

Multiple security vulnerabilities in Mercurial's HTTP wire protocol interface were fixed in this release:

* Not all commands would deny access if the repository was configured to not allow read access.

* The "batch" command did not check permissions of sub-commands, thus allowing permissions bypass to access and modify some repository data. Servers could have their bookmarks, phases, and obsolescence markers updated by any client that was able to trigger server processing of the "batch" command.

Note that the tag and signature are only in hg-committed right now -- this is due to a known bug in our new patch acceptance process and will be fixed at some point. The tag and signature should land in main within the next hour or two.

pacem in terris / мир / शान्ति / ‎‫سَلاَم‬ / 平和
Kevin R. Bullock



More information about the Mercurial-packaging mailing list