Mercurial 6.9.4 fixes CVE-2025-2361: XSS in hgweb

[Alan Coopersmith <alan.coopersmith () oracle com>]

https://lists.mercurial-scm.org/pipermail/mercurial-packaging/2025-March/000754.html announces:

> Subject: Mercurial 6.9.4 tagged (CVE-2025-2361)
> From: Pierre-Yves David pierre-yves.david at octobus.net
> Date: Wed Mar 19 15:16:31 UTC 2025
>
> This is an out of schedule security release
>
> Please update your package builds, thanks.
>
>
> This fixes a XSS vulnerability in hgweb, were an attacker could forge a link that would execute javascript in the 
> target browser.
>
> In practice in production setup, such injection might be caught by the wsgi layer.
>
> For example the popular mode_wsgi would catch such injection and return a 500 instead:
>
> https://github.com/GrahamDumpleton/mod_wsgi/blob/develop/src/server/wsgi_validate.c#L75
>
> Thanks goes to Julien Cristau for noticing that such mitigation existed.
>
>
> --
> Pierre-Yves David

https://lists.mercurial-scm.org/pipermail/mercurial-packaging/2025-March/000753.html adds:

> This is an XSS vulnerability in hg-web, and the original bug was 
> introduced way back in 2006!
>
> This was disclosed without our involvement and showed some gaps in our 
> security handling practices that thankfully don't need to be put to the 
> test very often. Nevertheless, I hope that measures like refreshing our 
> security list should improve the situation in the future.

Debian's security tracker points to this commit for further details:
https://foss.heptapod.net/mercurial/mercurial-devel/-/commit/a5c72ed2929341d97b11968211c880854803f003

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris