Mercurial 4.3 release

1. Notable changes

2. Security fixes

2.1. CVE-2017-1000115

Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.

2.2. CVE-2017-1000116

Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed.

3. Bug fixes

4. Improvements

5. Extensions

6. Behavior changes

7. Internal API changes

8. Unprocessed script output below, please integrate this into the above

Note that there may be duplicates between the above and the below.

8.1. commands

8.2. core

Release4.3 (last edited 2017-08-21 08:53:09 by BorisFeld)