Package: mercurial
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mercurial.

CVE-2008-4297[0]:
| Mercurial before 1.0.2 does not enforce the allowpull permission
| setting for a pull operation from hgweb, which allows remote attackers
| to read arbitrary files from a repository via an "hg pull" request.

I am not sure about the severity of this issue, could you please investigate it?

There might be some additional information on the rpath page[1] and the selenic
wiki[2].

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4297
    http://security-tracker.debian.net/tracker/CVE-2008-4297
[1] https://issues.rpath.com/browse/RPL-2753
[2] 
http://www.selenic.com/mercurial/wiki/index.cgi/WhatsNew#head-905b8adb3420a77d92617e06590055bd8952e02b



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to