[Python-apps-team] Bug#892743: permissions bypass on http server
Wagner Bruna
wbruna at yahoo.com
Mon Mar 12 13:50:54 UTC 2018
Package: mercurial
Version: 4.0-1+deb9u1
Severity: grave
Tags: security
As seen in https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29 :
All versions of Mercurial prior to 4.5.2 have vulnerabilities in the HTTP
server that allow permissions bypass to:
* Perform writes on repositories that should be read-only
* Perform reads on repositories that shouldn't allow read access
(...)
the relevant changesets from 4.5.2 are 2c647da851ed::2ecb0fc535b1.
These can be viewed online at e.g.
https://www.mercurial-scm.org/repo/hg/rev/2ecb0fc535b1.
The author of these commits has backports to 4.4 and 4.3 on a personal fork
at https://hg.mozilla.org/users/gszorc_mozilla.com/hg.
The backports for 4.4 are a4843835c835::7cf827e5f8af and for 4.3 are
db527ae12671::86f9a022ccb8. To obtain these changesets, run e.g.
hg pull -r 7cf827e5f8af https://hg.mozilla.org/users/gszorc_mozilla.com/hg.
More information about the Python-apps-team
mailing list