This is an out of schedule security release Please update your package builds, thanks.
This fixes a XSS vulnerability in hgweb, were an attacker could forge a link that would execute javascript in the target browser. In practice in production setup, such injection might be caught by the wsgi layer. For example the popular mode_wsgi would catch such injection and return a 500 instead: https://github.com/GrahamDumpleton/mod_wsgi/blob/develop/src/server/wsgi_validate.c#L75 Thanks goes to Julien Cristau for noticing that such mitigation existed. -- Pierre-Yves David
_______________________________________________ Mercurial-devel mailing list Mercurial-devel@lists.mercurial-scm.org https://lists.mercurial-scm.org/mailman/listinfo/mercurial-devel
