Please update your package builds, thanks.

Multiple security vulnerabilities in Mercurial's HTTP wire protocol interface 
were fixed in this release:

* Not all commands would deny access if the repository was configured to not 
allow read access.

* The "batch" command did not check permissions of sub-commands, thus allowing 
permissions bypass to access and modify some repository data. Servers could 
have their bookmarks, phases, and obsolescence markers updated by any client 
that was able to trigger server processing of the "batch" command.

Note that the tag and signature are only in hg-committed right now -- this is 
due to a known bug in our new patch acceptance process and will be fixed at 
some point. The tag and signature should land in main within the next hour or 

pacem in terris / мир / शान्ति / ‎‫سَلاَم‬ / 平和
Kevin R. Bullock

Mercurial-packaging mailing list

Reply via email to