Release Notes

Features and bugfixes in our latest releases. Please see the Download page for links to source and binaries.

Note that Mercurial follows a time-based release plan with major releases every three months and minor (bugfix) releases on the first of every month (see TimeBasedReleasePlan).

{i} Be sure to read the upgrade notes when upgrading.

(See the archive for older versions)

1. Mercurial 4.7.1 (2018-09-04)

This is a regularly-scheduled bugfix release containing following fixes:

1.1. commands

1.2. core

1.3. hgweb

1.4. performance

2. Mercurial 4.7 (2018-08-01)

This is a regularly-scheduled quarterly feature release and has its own release notes page which can be found here Full release notes.

3. Mercurial 4.6.2 (2018-07-03)

This is a regularly-scheduled bugfix release containing following fixes:

4. Mercurial 4.6.1 (2018-06-06)

This is a regularly-scheduled bugfix release that also contains security fixes.

4.1. Security Fixes

Multiple issues found in mpatch.c with a fuzzer:

With the following fixes:

No exploits are known at the time, however, it is highly recommended that all users upgrade.

4.2. Bug Fixes

Also included in this release are the following,

5. Mercurial 4.6 (2018-05-06)

Full release notes are available. This is a regularly-scheduled quarterly feature release.

5.1. New Features

5.1.1. pullbundles

Pullbundles allow the server to answer client requests using pre-built bundles. This is different from the existing clonebundle feature:

Pullbundles are only used for clients running Mercurial 4.6 as well.

5.1.2. push

If 'server.streamunbundle' option is enabled, the server will directly apply the changes send by the changes. This avoids potentially large temporary files on the server side. It can also prevent concurrent pushes.

5.1.3. notify extension

The 'maxdiffstat' option can be used to truncate long file lists similar to 'maxdiff' for the patch part of the email.

5.1.4. hgweb

hgweb now shows date and user for operations that resulted in obsolete commit(s). For unstable commits, it shows the exact reason why they are considered unstable.

Server: header is now configurable using web.server-header option.

5.1.5. templates

A new template keyword 'reporoot' which shows the root directory of the current repository. A new template function 'mailmap' which maps author fields based on values in a .mailmap file.

5.1.6. Other notable features

5.2. Backwards Compatibility Changes

5.3. Performance Improvements

5.4. Bug Fixes

5.5. New experimental features

Each release there are lot of new features added which are hidden under the EXPERIMENTAL tag as the behavior may change in future or the feature is not complete yet. The experimental features added in this cycle are:

5.5.1. narrow extension

Allows to create clones which fetch history data for only a subset of files. This experimental extension is now distributed with Mercurial.

5.5.2. remotenames extension

Shows remotebookmarks and remotebranches in the UI. This experimental extension is now distributed with Mercurial.

5.5.3. infinitepush extension

Allows to store some pushes in a remote blob store on the server and to serve commits from remote blob store. The revisions are stored on disk or in everstore, the metadata are stored in sql or on disk. This experimental extension is now distributed with Mercurial.

5.5.4. fix extension

Allows to rewrite file content in changesets or working copy. For example, automatically applying formatting fixes to modified lines of code. This experimental extension is now distributed with Mercurial.

5.5.5. lfs extension

An alternative to the largefiles extension, which uses the git-lfs protocol. This experimental extension is now distributed with Mercurial.

5.6. API Changes

6. Mercurial 4.5.3 (2018-04-04)

This is a regularly-scheduled bugfix release.

6.1. Bug Fixes

7. Mercurial 4.5.1 / 4.5.2 (2018-03-06)

(4.5.2 was released immediately after 4.5.1 to fix a release oversight.)

This is a regularly-scheduled bugfix release.

7.1. Security Fixes

All versions of Mercurial prior to 4.5.2 have vulnerabilities in the HTTP server that allow permissions bypass to:

CVE-2018-1000132 has been assigned these vulnerabilities.

The nature of the vulnerabilities is:

  1. Wire protocol commands that didn't explicitly declare their permissions had no permissions checking done. The web.{allow-pull, allow-push, deny_read, etc} config options governing access control were never consulted when running these commands. This allowed permissions bypass for impacted commands.

  2. The batch wire protocol command did not list its permission requirements nor did it enforce permissions on individual sub-commands.

The implication of these vulnerabilities is that no permissions checking was performed on commands and this could lead to accessing data that web.* config options were supposed to prevent access to or modifying data (via wire protocol commands that can mutate data) without authorization. A Mercurial HTTP server in its default configuration is supposed to be read-only. However, a well-crafted batch command could invoke commands that perform writes.

The batch write permissions bypass has been present since Mercurial 1.9. The flaw of not checking permissions for wire protocol commands that don't declare their needed permissions has been present since Mercurial 1.0.

Assuming you are running a server without any custom commands provided by extensions, your exposure is unauthorized data access (if relying on the web.* config options to limit access) and unauthorized data mutation via the batch command.

Server operators can detect unauthorized use of the batch command by looking for requests to URLs of the form repo?cmd=batch with arguments containing pushkey or unbundle. This may produce false positives. A more comprehensive check would decode the argument string and verify that pushkey or unbundle are command names (not values). The arguments specified via x-hgarg-<N> request headers can span multiple headers. So advanced attackers could hide the vulnerability by splitting a pushkey or unbundle string across multiple headers. So the only reliable way to detect if this vulnerability is being exploited is to decode these headers like Mercurial does. The format for specifying arguments is documented at https://www.mercurial-scm.org/repo/hg/file/4.5/mercurial/help/internals/wireprotocol.txt#l26. Python code for decoding headers is at https://www.mercurial-scm.org/repo/hg/file/4.5/mercurial/hgweb/protocol.py#l70.

Mercurial 4.5.2 fixes these vulnerabilities by:

Wire protocol commands not declaring wire protocol permissions will be assumed to be read-write commands and a server in its default configuration (which only allows read-only access), will refuse to execute these commands.

For package maintainers needing to backport the fixes, the relevant changesets from 4.5.2 are 2c647da851ed::2ecb0fc535b1. These can be viewed online at e.g. https://www.mercurial-scm.org/repo/hg/rev/2ecb0fc535b1. The author of these commits has backports to 4.4 and 4.3 on a personal fork at https://hg.mozilla.org/users/gszorc_mozilla.com/hg. The backports for 4.4 are a4843835c835::7cf827e5f8af and for 4.3 are db527ae12671::86f9a022ccb8. To obtain these changesets, run e.g. hg pull -r 7cf827e5f8af https://hg.mozilla.org/users/gszorc_mozilla.com/hg.

7.2. Backwards Compatibility Changes

7.3. Bug Fixes

8. Mercurial 4.5 (2018-02-01)

8.1. New Features

8.1.1. revert --interactive

The revert command now accepts the flag --interactive to allow reverting only some of the changes to the specified files.

8.1.2. Accessing hidden changesets

Set config option 'experimental.directaccess = True' to access hidden changesets from read only commands.

8.1.3. githelp extension

The githelp extension provides the hg githelp command. This command attempts to convert a git command to its Mercurial equivalent. The extension can be useful to Git users new to Mercurial.

8.1.4. Largefiles changes

8.2. hgweb changes

hgweb now shows more information about commits: phase (if it's not public), obsolescence status (with a short explanation and links to the successors) and instabilities (e.g. orphan, phase-divergent or content-divergent).

Client-side graph code has been simplified by delegating more work to the backend, so /graph page is now more in sync with /log page, visually and feature-wise. Unfortunately, this code change means that 3rd-party themes for 4.5+ are required to have graphentry.tmpl template available (copy it from the base theme if you don't use %include and then reference it in map file) and render entries in graph.tmpl -- look at one of the core themes to see what it needs to look like. JS functions that create graph vertices and edges are now available in Graph.prototype, making it possible to call the original functions from custom theme-specific functions if needed.

Graph now shows different symbols for normal, branch-closing, obsolete and unstable commits, and marks currently checked out commit with a circle around its graph node.

There's also now json-graph API endpoint that can be used for rendering commit graph in 3rd-party applications.

8.2.1. Other Changes

8.3. Backwards Compatibility Changes

8.4. Bug Fixes

8.5. API Changes

9. Mercurial 4.4.2 (2017-12-01)

This is a regularly-scheduled bugfix release.

9.1. Notable changes

9.1.1. Stricter command option parsing

Mercurial can now optionally parse "early" options (-R/--repository, --cwd, --config, --debugger, and --profile) more strictly, for more secure integration with tools that invoke 'hg' commands. Setting HGPLAIN=+strictflags will parse these options more strictly, which prevents them from being injected as arguments to other flags.

9.2. Bug fixes

9.3. Performance improvements

10. Mercurial 4.4.1 (2017-11-07)

10.1. Notable changes

It is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked in to the repository in Mercurial 4.4 and earlier. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.

11. Mercurial 4.4 (2017-11-01)

11.1. Notable changes

11.1.1. Control whitespace settings for annotation on hgweb

/annotate URLs on hgweb now accept query string arguments to influence how whitespace changes impact results.

The arguments "ignorews," "ignorewsamount," "ignorewseol," and "ignoreblanklines" now have the same meaning as their [annotate] config section counterparts. Any provided setting overrides the server default.

HTML checkboxes have been added to the paper and gitweb themes to expose current whitespace settings and to easily modify the current view.

11.1.2. Fast, heuristic copy-tracing

A new fast heuristic algorithm for copytracing which assumes that the files moves are either:

  1. renames in the same directory
  2. moves in other directories with same names

You can use this algorithm by setting 'experimental.copytrace=heuristics'. This setting performs full copytracing if both source and destination branches contains non-public changesets only.

11.1.3. Other changes

11.2. Backwards Compatibility Changes

11.3. Bug Fixes

11.4. Performance Improvements

11.5. API Changes

11.5.1. remove peer.batch()

Replace with peer.iterbatch().

11.5.2. Other Changes

12. Mercurial 4.3.3 (2017-10-01)

13. Mercurial 4.3.2 (2017-09-18)

14. Mercurial 4.3 / 4.3.1 (2017-08-10)

(4.3.1 was released immediately after 4.3 to fix a release oversight.)

An overview of new features available. This is a regularly-scheduled quarterly feature release.

14.1. Notable changes

14.2. CVE-2017-1000115

Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.

14.3. CVE-2017-1000116

Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks on clients by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed.

15. Mercurial 4.2.3 (2017-08-10)

This was an out-of-cycle backport of security fixes from 4.3 for users stuck on Python 2.6.

16. Mercurial 4.2.2 (2017-07-05)

This is a regularly-scheduled bugfix release.

17. Mercurial 4.2.1 (2017-6-4)

This is a regularly-scheduled bugfix release.

18. Mercurial 4.2 (2017-5-2)

An overview of new features available. This is a regularly-scheduled quarterly feature release.

18.1. Notable changes

18.2. commands

18.3. core

18.4. extensions

18.5. hgweb

18.6. Behavior changes

18.7. Internal API changes

19. Mercurial 4.1.3 (2017-4-18)

This is an out of cycle release to address a security issue:

20. Mercurial 4.1.2 (2017-4-3)

This is a regularly-scheduled bugfix release.

21. Mercurial 4.1.1 (2017-3-2)

This is a regularly-scheduled bugfix release.

22. Mercurial 4.1 (2017-2-1)

An overview of new features available. This is a regularly-scheduled quarterly feature release.

22.1. commands

22.2. core

22.3. extensions

22.4. hgweb

22.5. chg

22.6. Behavior Changes

22.7. Internal API Changes

23. Mercurial 4.0.2 (2017-01-04)

This is a regularly-scheduled bugfix release.

24. Mercurial 4.0.1 (2016-12-1)

This is a regularly-scheduled bugfix release.

25. Mercurial 4.0 (2016-11-1)

An overview of new features available. This is a regularly-scheduled quarterly feature release. Unlike other 4.0 software releases, this is simply 3.9 + .1, so it should be the usual pain-free upgrade.

25.1. commands

25.2. core

25.3. extensions

25.4. hgweb

WhatsNew (last edited 2018-09-04 16:05:37 by AugieFackler)