Advisories for Pypi/Mercurial package

Directory traversal vulnerability in patch.py in Mercurial 1.0.1 allows user-assisted attackers to modify arbitrary files via ".." (dot dot) sequences in a patch file.

In Mercurial, "hg serve –stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using –debugger as a repository name.