Multiple Mercurial CVEs have been announced

There are multiple CVEs in Mercurial that should be fixed through a security update. Here's the releases that I believe need patching and the releases which I believe are affected:

 * CVE-2016-3068: Mercurial before 3.7.3 allows remote attackers to execute arbitrary code
via a crafted git ext:: URL when cloning a subrepository.
   - Trusty
 * CVE-2016-3069: Mercurial before 3.7.3 allows remote attackers to execute arbitrary code
via a crafted name when converting a Git repository.
   - Trusty
 * CVE-2016-3105: The convert extension in Mercurial before 3.8 might allow context-dependent
attackers to execute arbitrary code via a crafted git repository name.
   - Trusty
   - Xenial
 * CVE-2016-3630: The binary delta decoder in Mercurial before 3.7.3 allows remote attackers
to execute arbitrary code via a (1) clone, (2) push, or (3) pull command,
related to (a) a list sizing rounding error and (b) short records.
   - Trusty
 * CVE-2017-17458: In Mercurial before 4.4.1, it is possible that a specially malformed
repository can cause Git subrepositories to run arbitrary code in the form
of a .git/hooks/post-update script checked into the repository. Typical use
of Mercurial prevents construction of such repositories, but they can be
created programmatically.
   - Trusty
   - Xenial
   - Artful
 * CVE-2018-1000132: Mercurial version 4.5 and earlier contains a Incorrect Access Control
(CWE-285) vulnerability in Protocol server that can result in Unauthorized
data access. This attack appear to be exploitable via network connectivity.
This vulnerability appears to have been fixed in 4.5.1.
   - Trusty
   - Xenial
   - Artful