Mercurial's symlink auditing was incomplete prior to 4.3, and could be
abused to write to files outside the repository.
Mercurial was not sanitizing hostnames passed to ssh, allowing shell
injection attacks by specifying a hostname starting with -oProxyCommand.
Currently we have:
f25 3.8.1 3.8.3(f24)
f26 4.2 4.2.1
Mercurial upstream has provided fixed versions 4.3 and 4.2.3.
I propose that for f26 we update hg to 4.2.3, and together with thg 4.2.3
(currently latest is 4.2.2)
I propose for f25 to similarly update hg and thg to 4.2.3
Another package that requires mercurial and may be affected is hg-git.
devel mailing list -- email@example.com
To unsubscribe send an email to devel-le...@lists.fedoraproject.org