[Python-apps-team] Bug#500781: CVE-2008-4297: privilege escalation
Steffen Joeris
steffen.joeris at skolelinux.de
Wed Oct 1 11:49:53 UTC 2008
Package: mercurial
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mercurial.
CVE-2008-4297[0]:
| Mercurial before 1.0.2 does not enforce the allowpull permission
| setting for a pull operation from hgweb, which allows remote attackers
| to read arbitrary files from a repository via an "hg pull" request.
I am not sure about the severity of this issue, could you please investigate it?
There might be some additional information on the rpath page[1] and the selenic
wiki[2].
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4297
http://security-tracker.debian.net/tracker/CVE-2008-4297
[1] https://issues.rpath.com/browse/RPL-2753
[2] http://www.selenic.com/mercurial/wiki/index.cgi/WhatsNew#head-905b8adb3420a77d92617e06590055bd8952e02b
More information about the Python-apps-team
mailing list