Mercurial 4.9 released
Augie Fackler
raf at durin42.com
Fri Feb 1 19:18:52 UTC 2019
Please update your package builds.
This release includes mitigation for a potential security defect in the presence of subrepos and symlink traversal. Users on older versions of hg can avoid the issue by either disabling subrepos support entirely (set subrepos.allowed=false in your hgrc) or by being deliberate about what repositories they interact with. In a shared hosting setting, I think I'd probably bias toward disabling subrepos at this point to be on the safe side.
More information about the Mercurial-packaging
mailing list