Your message dated Wed, 21 Mar 2018 14:48:54 +0100
with message-id <ef514e17-7862-54cd-90cb-5a2f38511...@debian.org>
and subject line Security bugs fixed in mercurial 4.5.2-1
has caused the Debian Bug report #892743,
regarding permissions bypass on http server
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
892743: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892743
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mercurial
Version: 4.0-1+deb9u1
Severity: grave
Tags: security
As seen in
https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29
:
All versions of Mercurial prior to 4.5.2 have vulnerabilities in the HTTP
server that allow permissions bypass to:
* Perform writes on repositories that should be read-only
* Perform reads on repositories that shouldn't allow read access
(...)
the relevant changesets from 4.5.2 are 2c647da851ed::2ecb0fc535b1.
These can be viewed online at e.g.
https://www.mercurial-scm.org/repo/hg/rev/2ecb0fc535b1.
The author of these commits has backports to 4.4 and 4.3 on a personal fork
at https://hg.mozilla.org/users/gszorc_mozilla.com/hg.
The backports for 4.4 are a4843835c835::7cf827e5f8af and for 4.3 are
db527ae12671::86f9a022ccb8. To obtain these changesets, run e.g.
hg pull -r 7cf827e5f8af https://hg.mozilla.org/users/gszorc_mozilla.com/hg.
--- End Message ---
--- Begin Message ---
Source: mercurial
Version: 4.5.2-1
Apologies for not including this in the package changelog. The 4.5.2
release (just uploaded) includes fixes for these security bugs.
Cheers,
Julien
--- End Message ---
