hg.sr.ht and git.sr.ht versions prior to 0.32.3 and 0.83.5 respectively
were vulnerable to command injection, which allows a remote user to
execute arbitrary commands as the hg or git user on the host.
Administrators of third-party SourceHut instances are advised to upgrade
your instance to hg.sr.ht 0.32.3 or newer and git.sr.ht 0.83.5 or newer
urgently.
Thanks to Thomas Chauchefoin for discovering and responsibly disclosing
these vulnerabilities.