CVE-2016-3630
The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records.
Date published : 2016-04-13
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html