mercurial CVEs - plan for f25 and f26 updates

Mercurial's symlink auditing was incomplete prior to 4.3, and could be
abused to write to files outside the repository.


Mercurial was not sanitizing hostnames passed to ssh, allowing shell
injection attacks by specifying a hostname starting with -oProxyCommand.

Currently we have:

hg thg
f25 3.8.1 3.8.3(f24)
f26 4.2 4.2.1

Mercurial upstream has provided fixed versions 4.3 and 4.2.3.

I propose that for f26 we update hg to 4.2.3, and together with thg 4.2.3
(currently latest is 4.2.2)

I propose for f25 to similarly update hg and thg to 4.2.3

Another package that requires mercurial and may be affected is hg-git.