Updated mercurial packages fix security vulnerabilities:
Blake Burkhart discovered that Mercurial allows URLs for Git subrepositories that could result in arbitrary code execution on clone (CVE-2016-3068).
Blake Burkhart discovered that Mercurial allows arbitrary code execution when converting Git repositories with specially crafted names (CVE-2016-3069).
It was discovered that Mercurial does not properly perform bounds-checking in its binary delta decoder, which may be exploitable for remote code execution via clone, push or pull (CVE-2016-3630).