Gentoo Linux Security Advisory 201709-18 - Multiple vulnerabilities have been found in Mercurial, the worst of which could lead to the remote execution of arbitrary code. Versions less than 4.3 are affected.
89aefc9a366cff54114ccf79e3fe3ca7be36701152914d2c0e752658790e251b
SourceTree suffers from multiple remote code execution vulnerabilities that can be triggered via hostile repositories being checked in. SourceTree for macOS versions prior to 2.6.1 and SourceTree for Windows versions prior to 2.1.10 are affected.
1e50b9884995c5b9c544b4aa24ba0de7ea8f777b919770ce1a23e318b7d2c761
Debian Linux Security Advisory 3963-1 - Several issues were discovered in Mercurial, a distributed revision control system.
bd83f96fa1efaaffc2eddb423ae1e6ba6e4a8cbc1d79385bf890c4e6dae763ba
Red Hat Security Advisory 2017-2489-01 - Mercurial is a fast, lightweight source control management system designed for efficient handling of very large distributed projects. Security Fix: A vulnerability was found in the way Mercurial handles path auditing and caches the results. An attacker could abuse a repository with a series of commits mixing symlinks and regular files/directories to trick Mercurial into writing outside of a given repository. A shell command injection flaw related to the handling of "ssh" URLs has been discovered in Mercurial. This can be exploited to execute shell commands with the privileges of the user running the Mercurial client, for example, when performing a "checkout" or "update" action on a sub-repository within a malicious repository or a legitimate repository containing a malicious commit.
8738f069f2944ea66cc39edcf21cdadd76160904bb6eb1bd0d4f6efa07edf23c
Slackware Security Advisory - New mercurial packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
e9a3e10f787f19af20556a8626c0eec971c3bc7891353842436625abb0d5e43c