* It was discovered that Mercurial failed to properly check Git sub-
repository URLs. A Mercurial repository that includes a Git sub-repository
with a specially crafted URL could cause Mercurial to execute arbitrary
code. (CVE-2016-3068)
* It was discovered that the Mercurial convert extension failed to
sanitize special characters in Git repository names. A Git repository with
a specially crafted name could cause Mercurial to execute arbitrary code
when the Git repository was converted to a Mercurial repository.
(CVE-2016-3069)
--