Please update your package builds, thanks.
Multiple security vulnerabilities in Mercurial's HTTP wire protocol interface
were fixed in this release:
* Not all commands would deny access if the repository was configured to not
allow read access.
* The "batch" command did not check permissions of sub-commands, thus allowing
permissions bypass to access and modify some repository data. Servers could
have their bookmarks, phases, and obsolescence markers updated by any client
that was able to trigger server processing of the "batch" command.
Note that the tag and signature are only in hg-committed right now -- this is
due to a known bug in our new patch acceptance process and will be fixed at
some point. The tag and signature should land in main within the next hour or
pacem in terris / мир / शान्ति / سَلاَم / 平和
Kevin R. Bullock
Mercurial-packaging mailing list