Release Notes

Features and bugfixes in our latest releases. Please see the Download page for links to source and binaries.

Note that Mercurial follows a time-based release plan with major releases every three months and minor (bugfix) releases on the first of every month (see TimeBasedReleasePlan).

{i} Be sure to read the upgrade notes when upgrading.

(See the archive for older versions)

1. Mercurial 4.5.1 / 4.5.2 (2018-03-06)

(4.5.2 was released immediately after 4.5.1 to fix a release oversight.)

This is a regularly-scheduled bugfix release.

1.1. Security Fixes

All versions of Mercurial prior to 4.5.2 have vulnerabilities in the HTTP server that allow permissions bypass to:

The nature of the vulnerabilities is:

  1. Wire protocol commands that didn't explicitly declare their permissions had no permissions checking done. The web.{allow-pull, allow-push, deny_read, etc} config options governing access control were never consulted when running these commands. This allowed permissions bypass for impacted commands.

  2. The batch wire protocol command did not list its permission requirements nor did it enforce permissions on individual sub-commands.

The implication of these vulnerabilities is that no permissions checking was performed on commands and this could lead to accessing data that web.* config options were supposed to prevent access to or modifying data (via wire protocol commands that can mutate data) without authorization. A Mercurial HTTP server in its default configuration is supposed to be read-only. However, a well-crafted batch command could invoke commands that perform writes.

The batch write permissions bypass has been present since Mercurial 1.9. The flaw of not checking permissions for wire protocol commands that don't declare their needed permissions has been present since Mercurial 1.0.

Assuming you are running a server without any custom commands provided by extensions, your exposure is unauthorized data access (if relying on the web.* config options to limit access) and unauthorized data mutation via the batch command.

Server operators can detect unauthorized use of the batch command by looking for requests to URLs of the form repo?cmd=batch with arguments containing pushkey or unbundle. This may produce false positives. A more comprehensive check would decode the argument string and verify that pushkey or unbundle are command names (not values). The arguments specified via x-hgarg-<N> request headers can span multiple headers. So advanced attackers could hide the vulnerability by splitting a pushkey or unbundle string across multiple headers. So the only reliable way to detect if this vulnerability is being exploited is to decode these headers like Mercurial does. The format for specifying arguments is documented at https://www.mercurial-scm.org/repo/hg/file/4.5/mercurial/help/internals/wireprotocol.txt#l26. Python code for decoding headers is at https://www.mercurial-scm.org/repo/hg/file/4.5/mercurial/hgweb/protocol.py#l70.

Mercurial 4.5.2 fixes these vulnerabilities by:

Wire protocol commands not declaring wire protocol permissions will be assumed to be read-write commands and a server in its default configuration (which only allows read-only access), will refuse to execute these commands.

For package maintainers needing to backport the fixes, the relevant changesets from 4.5.2 are 2c647da851ed::2ecb0fc535b1. These can be viewed online at e.g. https://www.mercurial-scm.org/repo/hg/rev/2ecb0fc535b1. The author of these commits has backports to 4.4 and 4.3 on a personal fork at https://hg.mozilla.org/users/gszorc_mozilla.com/hg. The backports for 4.4 are a4843835c835::7cf827e5f8af and for 4.3 are db527ae12671::86f9a022ccb8. To obtain these changesets, run e.g. hg pull -r 7cf827e5f8af https://hg.mozilla.org/users/gszorc_mozilla.com/hg.

1.2. Backwards Compatibility Changes

1.3. Bug Fixes

2. Mercurial 4.5 (2018-02-01)

2.1. New Features

2.1.1. revert --interactive

The revert command now accepts the flag --interactive to allow reverting only some of the changes to the specified files.

2.1.2. Accessing hidden changesets

Set config option 'experimental.directaccess = True' to access hidden changesets from read only commands.

2.1.3. githelp extension

The githelp extension provides the hg githelp command. This command attempts to convert a git command to its Mercurial equivalent. The extension can be useful to Git users new to Mercurial.

2.1.4. Largefiles changes

2.2. hgweb changes

hgweb now shows more information about commits: phase (if it's not public), obsolescence status (with a short explanation and links to the successors) and instabilities (e.g. orphan, phase-divergent or content-divergent).

Client-side graph code has been simplified by delegating more work to the backend, so /graph page is now more in sync with /log page, visually and feature-wise. Unfortunately, this code change means that 3rd-party themes for 4.5+ are required to have graphentry.tmpl template available (copy it from the base theme if you don't use %include and then reference it in map file) and render entries in graph.tmpl -- look at one of the core themes to see what it needs to look like. JS functions that create graph vertices and edges are now available in Graph.prototype, making it possible to call the original functions from custom theme-specific functions if needed.

Graph now shows different symbols for normal, branch-closing, obsolete and unstable commits, and marks currently checked out commit with a circle around its graph node.

There's also now json-graph API endpoint that can be used for rendering commit graph in 3rd-party applications.

2.2.1. Other Changes

2.3. Backwards Compatibility Changes

2.4. Bug Fixes

2.5. API Changes

3. Mercurial 4.4.2 (2017-12-01)

This is a regularly-scheduled bugfix release.

3.1. Notable changes

3.1.1. Stricter command option parsing

Mercurial can now optionally parse "early" options (-R/--repository, --cwd, --config, --debugger, and --profile) more strictly, for more secure integration with tools that invoke 'hg' commands. Setting HGPLAIN=+strictflags will parse these options more strictly, which prevents them from being injected as arguments to other flags.

3.2. Bug fixes

3.3. Performance improvements

4. Mercurial 4.4.1 (2017-11-07)

4.1. Notable changes

It is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked in to the repository in Mercurial 4.4 and earlier. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.

5. Mercurial 4.4 (2017-11-01)

5.1. Notable changes

5.1.1. Control whitespace settings for annotation on hgweb

/annotate URLs on hgweb now accept query string arguments to influence how whitespace changes impact results.

The arguments "ignorews," "ignorewsamount," "ignorewseol," and "ignoreblanklines" now have the same meaning as their [annotate] config section counterparts. Any provided setting overrides the server default.

HTML checkboxes have been added to the paper and gitweb themes to expose current whitespace settings and to easily modify the current view.

5.1.2. Fast, heuristic copy-tracing

A new fast heuristic algorithm for copytracing which assumes that the files moves are either:

  1. renames in the same directory
  2. moves in other directories with same names

You can use this algorithm by setting 'experimental.copytrace=heuristics'. This setting performs full copytracing if both source and destination branches contains non-public changesets only.

5.1.3. Other changes

5.2. Backwards Compatibility Changes

5.3. Bug Fixes

5.4. Performance Improvements

5.5. API Changes

5.5.1. remove peer.batch()

Replace with peer.iterbatch().

5.5.2. Other Changes

6. Mercurial 4.3.3 (2017-10-01)

7. Mercurial 4.3.2 (2017-09-18)

8. Mercurial 4.3 / 4.3.1 (2017-08-10)

(4.3.1 was released immediately after 4.3 to fix a release oversight.)

An overview of new features available. This is a regularly-scheduled quarterly feature release.

8.1. Notable changes

8.2. CVE-2017-1000115

Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.

8.3. CVE-2017-1000116

Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks on clients by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed.

9. Mercurial 4.2.3 (2017-08-10)

This was an out-of-cycle backport of security fixes from 4.3 for users stuck on Python 2.6.

10. Mercurial 4.2.2 (2017-07-05)

This is a regularly-scheduled bugfix release.

11. Mercurial 4.2.1 (2017-6-4)

This is a regularly-scheduled bugfix release.

12. Mercurial 4.2 (2017-5-2)

An overview of new features available. This is a regularly-scheduled quarterly feature release.

12.1. Notable changes

12.2. commands

12.3. core

12.4. extensions

12.5. hgweb

12.6. Behavior changes

12.7. Internal API changes

13. Mercurial 4.1.3 (2017-4-18)

This is an out of cycle release to address a security issue:

14. Mercurial 4.1.2 (2017-4-3)

This is a regularly-scheduled bugfix release.

15. Mercurial 4.1.1 (2017-3-2)

This is a regularly-scheduled bugfix release.

16. Mercurial 4.1 (2017-2-1)

An overview of new features available. This is a regularly-scheduled quarterly feature release.

16.1. commands

16.2. core

16.3. extensions

16.4. hgweb

16.5. chg

16.6. Behavior Changes

16.7. Internal API Changes

17. Mercurial 4.0.2 (2017-01-04)

This is a regularly-scheduled bugfix release.

18. Mercurial 4.0.1 (2016-12-1)

This is a regularly-scheduled bugfix release.

19. Mercurial 4.0 (2016-11-1)

An overview of new features available. This is a regularly-scheduled quarterly feature release. Unlike other 4.0 software releases, this is simply 3.9 + .1, so it should be the usual pain-free upgrade.

19.1. commands

19.2. core

19.3. extensions

19.4. hgweb