Hi Steffen, * Steffen Joeris <[EMAIL PROTECTED]> [2008-10-01 15:59]: > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for mercurial. > > CVE-2008-4297[0]: > | Mercurial before 1.0.2 does not enforce the allowpull permission > | setting for a pull operation from hgweb, which allows remote attackers > | to read arbitrary files from a repository via an "hg pull" request. > > I am not sure about the severity of this issue, could you please investigate > it?
I'd say grave would be appropriate as the repository could contain sensitive information that should not be pulled. The only thing with that is that hgweb itself is not shipped within the Debian package but I guess a lot of people are using the source package to extract the cgi script anyway. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpy9ZpeLU1MP.pgp
Description: PGP signature
