From pierre-yves.david at ens-lyon.org  Wed Mar  5 22:20:50 2025
From: pierre-yves.david at ens-lyon.org (Pierre-Yves David)
Date: Wed, 5 Mar 2025 23:20:50 +0100
Subject: Mercurial 6.9.3 tagged
Message-ID: <99bc4c8a-d678-488a-81a9-11cc3576ed46@ens-lyon.org>

I just tagged Mercurial 6.9.3

This is an out of schedule release to address a regression introduce in 6.9.2.

The regression only affects clone bundle manifest that contains some specific requirements that did not need to be added, but that's still a regression and this especially affects current Mozilla's clonebundles.

Please update your package builds, thanks.

Release notes here:https://wiki.mercurial-scm.org/Release6.9


-- 
Pierre-Yves David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mercurial-scm.org/pipermail/mercurial-packaging/attachments/20250305/35b79d5d/attachment.htm>

From pierre-yves.david at octobus.net  Tue Mar 18 07:51:44 2025
From: pierre-yves.david at octobus.net (Pierre-Yves David)
Date: Tue, 18 Mar 2025 08:51:44 +0100
Subject: Mercurial 7.0rc1 tagged
Message-ID: <34c46275-e41a-488e-ae3b-44ed830d35ff@octobus.net>

Please update your package builds, thanks.

Please also make sure you have the latest evolve version packaged too.

-- 
Pierre-Yves David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mercurial-scm.org/pipermail/mercurial-packaging/attachments/20250318/851cdeb5/attachment.htm>

From raphael.gomes at octobus.net  Tue Mar 18 15:19:22 2025
From: raphael.gomes at octobus.net (=?UTF-8?B?UmFwaGHDq2wgR29tw6hz?=)
Date: Tue, 18 Mar 2025 16:19:22 +0100
Subject: Out-of-schedule Mercurial security release
Message-ID: <8c602338-f183-4a04-b34d-b357de5e1a9e@octobus.net>

Hi all,

We are planning an out-of-schedule security release to address 
CVE-2025-2361?.

This is an XSS vulnerability in hg-web, and the original bug was 
introduced way back in 2006!

This was disclosed without our involvement and showed some gaps in our 
security handling practices that thankfully don't need to be put to the 
test very often. Nevertheless, I hope that measures like refreshing our 
security list should improve the situation in the future.

The release for 6.9.4 will only contain the fix for this and will happen 
tomorrow. I expect this patch to be very easy to graft on top of old 
versions, as most of the hgweb code doesn't move much these days.

[1]? https://www.cve.org/CVERecord?id=CVE-2025-2361

Thanks,
Rapha?l


From pierre-yves.david at octobus.net  Wed Mar 19 15:16:31 2025
From: pierre-yves.david at octobus.net (Pierre-Yves David)
Date: Wed, 19 Mar 2025 16:16:31 +0100
Subject: Mercurial 6.9.4 tagged (CVE-2025-2361)
Message-ID: <e48f3525-ad63-4a4c-ad81-a19818f54ab2@octobus.net>

This is an out of schedule security release

Please update your package builds, thanks.


This fixes a XSS vulnerability in hgweb, were an attacker could forge a link that would execute javascript in the target browser.

In practice in production setup, such injection might be caught by the wsgi layer.

For example the popular mode_wsgi would catch such injection and return a 500 instead:

https://github.com/GrahamDumpleton/mod_wsgi/blob/develop/src/server/wsgi_validate.c#L75

Thanks goes to Julien Cristau for noticing that such mitigation existed.


-- 
Pierre-Yves David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mercurial-scm.org/pipermail/mercurial-packaging/attachments/20250319/216e5da9/attachment.htm>

From raphael.gomes at octobus.net  Tue Mar 25 23:13:44 2025
From: raphael.gomes at octobus.net (=?UTF-8?B?UmFwaGHDq2wgR29tw6hz?=)
Date: Wed, 26 Mar 2025 00:13:44 +0100
Subject: Mercurial 7.0 tagged
Message-ID: <a679aae7-f726-46ac-a911-f90d1ee106a5@octobus.net>

Please update your package builds, thanks.
Please also make sure you have the latest evolve version packaged too.

Release notes here:https://wiki.mercurial-scm.org/Release7.0

As per our previous warning, this release changes the way our Python setup is done to comply with the changes in packaging like PEP 517.

I hope the ride is not too rough,
Rapha?l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mercurial-scm.org/pipermail/mercurial-packaging/attachments/20250326/696e3eb6/attachment.htm>

From pierre.augier at univ-grenoble-alpes.fr  Thu Mar 27 20:48:23 2025
From: pierre.augier at univ-grenoble-alpes.fr (PIERRE AUGIER)
Date: Thu, 27 Mar 2025 21:48:23 +0100 (CET)
Subject: Mercurial 7.0 tagged
In-Reply-To: <a679aae7-f726-46ac-a911-f90d1ee106a5@octobus.net>
References: <a679aae7-f726-46ac-a911-f90d1ee106a5@octobus.net>
Message-ID: <1020377902.11948394.1743108503510.JavaMail.zimbra@univ-grenoble-alpes.fr>


----- Mail original -----
> De: "Rapha?l Gom?s" <raphael.gomes at octobus.net>
> ?: mercurial-packaging at mercurial-scm.org
> Envoy?: Mercredi 26 Mars 2025 00:13:44
> Objet: Mercurial 7.0 tagged

> Please update your package builds, thanks. Please also make sure you have the
> latest evolve version packaged too. Release notes here: [
> https://wiki.mercurial-scm.org/Release7.0 |
> https://wiki.mercurial-scm.org/Release7.0 ] As per our previous warning, this
> release changes the way our Python setup is done to comply with the changes in
> packaging like PEP 517.

Thanks Rapha?l for your work for this new Mercurial version and the release!

> I hope the ride is not too rough,

For conda-forge, this was quite difficult indeed:

https://github.com/conda-forge/mercurial-feedstock/pull/105/files