This is an unscheduled security release to mitigate a publicly reported security flaw in Mercurial.
It is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked in to the repository in Mercurial 4.4 and earlier. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically. Backwards Compatibility Changes * subrepos now default the Git and Subversion support to off to known security defects in those components. See 'hg help subrepos.config' for more information, including how to re-enable Git and Subversion subrepo support. Release Notes * Git and Subversion subrepos have been disabled by default to mitigate a potential security risk if files overlapping with a subrepo managed to be committed to a repository. * Subrepos are now more paranoid about symlink traversal. * The share extension handles drive letters on Windows better. _______________________________________________ Mercurial-packaging mailing list [email protected] https://www.mercurial-scm.org/mailman/listinfo/mercurial-packaging
