Updated mercurial packages are available for Debian 7 LTS
Package : mercurial
Version : 2.2.2-4+deb7u3
CVE ID : CVE-2016-3105
Blake Burkhart discovered an arbitrary code execution flaw in
Mercurial, a distributed version control system, when using the convert
extension on Git repositories with specially crafted names. This flaw in
particular affects automated code conversion services that allow
arbitrary repository names.
Patches are taken from the Jessie version.