From pierre-yves.david at ens-lyon.org Wed Mar 5 22:20:50 2025 From: pierre-yves.david at ens-lyon.org (Pierre-Yves David) Date: Wed, 5 Mar 2025 23:20:50 +0100 Subject: Mercurial 6.9.3 tagged Message-ID: <99bc4c8a-d678-488a-81a9-11cc3576ed46@ens-lyon.org> I just tagged Mercurial 6.9.3 This is an out of schedule release to address a regression introduce in 6.9.2. The regression only affects clone bundle manifest that contains some specific requirements that did not need to be added, but that's still a regression and this especially affects current Mozilla's clonebundles. Please update your package builds, thanks. Release notes here:https://wiki.mercurial-scm.org/Release6.9 -- Pierre-Yves David -------------- next part -------------- An HTML attachment was scrubbed... URL: From pierre-yves.david at octobus.net Tue Mar 18 07:51:44 2025 From: pierre-yves.david at octobus.net (Pierre-Yves David) Date: Tue, 18 Mar 2025 08:51:44 +0100 Subject: Mercurial 7.0rc1 tagged Message-ID: <34c46275-e41a-488e-ae3b-44ed830d35ff@octobus.net> Please update your package builds, thanks. Please also make sure you have the latest evolve version packaged too. -- Pierre-Yves David -------------- next part -------------- An HTML attachment was scrubbed... URL: From raphael.gomes at octobus.net Tue Mar 18 15:19:22 2025 From: raphael.gomes at octobus.net (=?UTF-8?B?UmFwaGHDq2wgR29tw6hz?=) Date: Tue, 18 Mar 2025 16:19:22 +0100 Subject: Out-of-schedule Mercurial security release Message-ID: <8c602338-f183-4a04-b34d-b357de5e1a9e@octobus.net> Hi all, We are planning an out-of-schedule security release to address CVE-2025-2361?. This is an XSS vulnerability in hg-web, and the original bug was introduced way back in 2006! This was disclosed without our involvement and showed some gaps in our security handling practices that thankfully don't need to be put to the test very often. Nevertheless, I hope that measures like refreshing our security list should improve the situation in the future. The release for 6.9.4 will only contain the fix for this and will happen tomorrow. I expect this patch to be very easy to graft on top of old versions, as most of the hgweb code doesn't move much these days. [1]? https://www.cve.org/CVERecord?id=CVE-2025-2361 Thanks, Rapha?l From pierre-yves.david at octobus.net Wed Mar 19 15:16:31 2025 From: pierre-yves.david at octobus.net (Pierre-Yves David) Date: Wed, 19 Mar 2025 16:16:31 +0100 Subject: Mercurial 6.9.4 tagged (CVE-2025-2361) Message-ID: This is an out of schedule security release Please update your package builds, thanks. This fixes a XSS vulnerability in hgweb, were an attacker could forge a link that would execute javascript in the target browser. In practice in production setup, such injection might be caught by the wsgi layer. For example the popular mode_wsgi would catch such injection and return a 500 instead: https://github.com/GrahamDumpleton/mod_wsgi/blob/develop/src/server/wsgi_validate.c#L75 Thanks goes to Julien Cristau for noticing that such mitigation existed. -- Pierre-Yves David -------------- next part -------------- An HTML attachment was scrubbed... URL: