Nico Golde wrote: > Hi Steffen, > * Steffen Joeris <[EMAIL PROTECTED]> [2008-10-01 15:59]: >> Hi, >> the following CVE (Common Vulnerabilities & Exposures) id was >> published for mercurial. >> >> CVE-2008-4297[0]: >> | Mercurial before 1.0.2 does not enforce the allowpull permission >> | setting for a pull operation from hgweb, which allows remote attackers >> | to read arbitrary files from a repository via an "hg pull" request. >> >> I am not sure about the severity of this issue, could you please investigate >> it? > > I'd say grave would be appropriate as the repository could > contain sensitive information that should not be pulled. The > only thing with that is that hgweb itself is not shipped > within the Debian package but I guess a lot of people are > using the source package to extract the cgi script anyway.
hgweb is not setup by default (because it needs manual editions) But hgweb.cgi, hgwebdir.cgi, and hgwebdir.fcgi are installed in /usr/share/doc/mercurial/examples/ Regards, Vincent > Cheers > Nico > > > ------------------------------------------------------------------------ > > _______________________________________________ > Python-apps-team mailing list > [EMAIL PROTECTED] > http://lists.alioth.debian.org/mailman/listinfo/python-apps-team -- Vincent Danjean GPG key ID 0x9D025E87 [EMAIL PROTECTED] GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87 Unofficial pacakges: http://www-id.imag.fr/~danjean/deb.html#package APT repo: deb http://perso.debian.org/~vdanjean/debian unstable main -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]