hg-git 0.8.9 has just been tagged and uploaded to PyPI. This release
is compatible with the just-released Mercurial 4.3.
This release includes a fix for CVE-2017-1000116. From the Mercurial
release announcement:
Mercurial was not sanitizing hostnames passed to ssh, allowing shell
injection attacks by specifying a hostname starting with -oProxyCommand.
This is also present in Git (CVE-2017-1000117) and Subversion
(CVE-2017-9800), so please patch those tools as well if you have
them installed. All three tools are doing their security release
today.
1580716608