Package: mercurial Severity: important Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for mercurial.
CVE-2008-4297[0]: | Mercurial before 1.0.2 does not enforce the allowpull permission | setting for a pull operation from hgweb, which allows remote attackers | to read arbitrary files from a repository via an "hg pull" request. I am not sure about the severity of this issue, could you please investigate it? There might be some additional information on the rpath page[1] and the selenic wiki[2]. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4297 http://security-tracker.debian.net/tracker/CVE-2008-4297 [1] https://issues.rpath.com/browse/RPL-2753 [2] http://www.selenic.com/mercurial/wiki/index.cgi/WhatsNew#head-905b8adb3420a77d92617e06590055bd8952e02b -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

