Hi all,
We are planning an out-of-schedule security release to address
CVE-2025-2361¹.
This is an XSS vulnerability in hg-web, and the original bug was
introduced way back in 2006!
This was disclosed without our involvement and showed some gaps in our
security handling practices that thankfully don't need to be put to the
test very often. Nevertheless, I hope that measures like refreshing our
security list should improve the situation in the future.
The release for 6.9.4 will only contain the fix for this and will happen
tomorrow. I expect this patch to be very easy to graft on top of old
versions, as most of the hgweb code doesn't move much these days.
[1] https://www.cve.org/CVERecord?id=CVE-2025-2361
Thanks,
Raphaël
_______________________________________________
Mercurial-packaging mailing list
Mercurial-packaging@lists.mercurial-scm.org
https://lists.mercurial-scm.org/mailman/listinfo/mercurial-packaging
