From ${URL} : A vulnerability in Mercurial's handling of subrepositories was reported on the Mercurial Project's *public* bug tracker. The vulnerability results in arbitrary code execution during `hg clone` or `hg pull` + `hg update` if a well-crafted repository is cloned or pulled from. The vulnerability is known to occur with Git subrepositories. But it can also possibly occur with other subrepository types. The vulnerability likely impacts Mercurial versions released for the past several years. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
*** Bug 640560 has been marked as a duplicate of this bug. ***
Mitigation is to disable sub-repos and only clone trusted repos which would be considered hardening. Mercurial has made this a default option accordingly for their users and the fix is present in 4.5.2 (older versions not checked). Thus, the bug has been downgraded to B4. GLSA Vote: No @hppa, please stabilize.
hppa stable
Cleanup will be in bug 649872
