mercurial: 3.7.1 -> 3.7.3 for multiple CVEs

CVE-2016-3068

    Blake Burkhart discovered that Mercurial allows URLs for Git
    subrepositories that could result in arbitrary code execution on
    clone.

CVE-2016-3069

    Blake Burkhart discovered that Mercurial allows arbitrary code
    execution when converting Git repositories with specially
    crafted names.

CVE-2016-3630

    It was discovered that Mercurial does not properly perform bounds-
    checking in its binary delta decoder, which may be exploitable for
    remote code execution via clone, push or pull.