Mercurial versions prior to 3.7.3 contain major vulnerabilities. Today we release RhodeCode 3.8.4, an off-cycle release which makes your Mercurial repositories safe again.
As usual, the update process is a simple one-liner.
Type
rccontrol self-update && rccontrol upgrade ‘*’
in the command line interface. Done!
Security issues in Mercurial prior to 3.7.3 allow for code execution when using Git subrepos, Git repo conversion, and clone, push, or pull commands. You can read more about it in the release notes section of the Mercurial website.
Those are major vulnerabilities and we will always prioritize the protection of your source code above everything else. RhodeCode 3.8.4 addresses the issues to keep your repositories safe. We strongly recommend updating your RhodeCode instance to the latest version.
Type rccontrol self-update && rccontrol upgrade ‘*’ in the command line or see the update documentation for details.
Yours securely,
RhodeCode team.