Nico Golde wrote:
> Hi Steffen,
> * Steffen Joeris <[EMAIL PROTECTED]> [2008-10-01 15:59]:
>> Hi,
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for mercurial.
>>
>> CVE-2008-4297[0]:
>> | Mercurial before 1.0.2 does not enforce the allowpull permission
>> | setting for a pull operation from hgweb, which allows remote attackers
>> | to read arbitrary files from a repository via an "hg pull" request.
>>
>> I am not sure about the severity of this issue, could you please investigate
>> it?
>
> I'd say grave would be appropriate as the repository could
> contain sensitive information that should not be pulled. The
> only thing with that is that hgweb itself is not shipped
> within the Debian package but I guess a lot of people are
> using the source package to extract the cgi script anyway.
hgweb is not setup by default (because it needs manual editions)
But hgweb.cgi, hgwebdir.cgi, and hgwebdir.fcgi are installed in
/usr/share/doc/mercurial/examples/
Regards,
Vincent
> Cheers
> Nico
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Python-apps-team mailing list
> [EMAIL PROTECTED]
> http://lists.alioth.debian.org/mailman/listinfo/python-apps-team
--
Vincent Danjean GPG key ID 0x9D025E87 [EMAIL PROTECTED]
GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87
Unofficial pacakges: http://www-id.imag.fr/~danjean/deb.html#package
APT repo: deb http://perso.debian.org/~vdanjean/debian unstable main
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
