Download Mercurial 4.3.1 / 4.2.3

Mercurial is a program for software and project developers, among others, with which management and version control over data and source code can be performed. The program can be seen as a direct competitor to the well-known svn or Subversion. For example, Mercurial is used by NetBeans and Roundup Issue Tracker. Version 4.3.1 and 4.2.3 have recently been released, with the following list of changes:

Mercurial 4.3.1

(4.3.1 was released immediately after 4.3 to fix a release oversight.)
an overview of new features available. This is a regularly-scheduled quarterly feature release.

Notable changes

• experimental amend extension providing the amend command
• experimental sparse extension
• Support for Python 2.6 has been dropped.
• Bundles created by the strip extension now store phase information. It will be restored when unbundling.
• The strip extension now removes relevant obsmarkers. If a backup requested (the default), the obsmarkers are stored in the backup bundle and will be restored when unbundling.
• hg show work (from the experimental show extension) now displays more info
• hg show stack is a new view for the current, in-progress changeset and others around it
• Mitigation for two security vulnerabilities

CVE-2017-1000115
Mercurial’s symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.

CVE-2017-1000116
Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks on clients by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed.

Mercurial 4.2.3

This was an out-of-cycle backport of security fixes from 4.3 for users stuck on Python 2.6.