Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN170

_____________________________________________________________________

DATE                : 25/03/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Mercurial versions prior to
                                        6.9.4.

=====================================================================
https://lists.mercurial-scm.org/pipermail/mercurial-packaging/2025-March/000754.html
_____________________________________________________________________

This is an out of schedule security release

Please update your package builds, thanks.


This fixes a XSS vulnerability in hgweb, were an attacker could forge
a link that would execute javascript in the target browser.

In practice in production setup, such injection might be caught by
the wsgi layer.

For example the popular mode_wsgi would catch such injection and
return a 500 instead:

https://github.com/GrahamDumpleton/mod_wsgi/blob/develop/src/server/wsgi_validate.c#L75

Thanks goes to Julien Cristau for noticing that such mitigation
existed.


-- 
Pierre-Yves David
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================