Your message dated Sat, 04 Oct 2008 11:02:07 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#500781: fixed in mercurial 1.0.1-5.1
has caused the Debian Bug report #500781,
regarding CVE-2008-4297: privilege escalation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
500781: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500781
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: mercurial
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mercurial.

CVE-2008-4297[0]:
| Mercurial before 1.0.2 does not enforce the allowpull permission
| setting for a pull operation from hgweb, which allows remote attackers
| to read arbitrary files from a repository via an "hg pull" request.

I am not sure about the severity of this issue, could you please investigate it?

There might be some additional information on the rpath page[1] and the selenic
wiki[2].

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4297
    http://security-tracker.debian.net/tracker/CVE-2008-4297
[1] https://issues.rpath.com/browse/RPL-2753
[2] 
http://www.selenic.com/mercurial/wiki/index.cgi/WhatsNew#head-905b8adb3420a77d92617e06590055bd8952e02b



--- End Message ---
--- Begin Message ---
Source: mercurial
Source-Version: 1.0.1-5.1

We believe that the bug you reported is fixed in the latest version of
mercurial, which is due to be installed in the Debian FTP archive:

mercurial-common_1.0.1-5.1_all.deb
  to pool/main/m/mercurial/mercurial-common_1.0.1-5.1_all.deb
mercurial_1.0.1-5.1.diff.gz
  to pool/main/m/mercurial/mercurial_1.0.1-5.1.diff.gz
mercurial_1.0.1-5.1.dsc
  to pool/main/m/mercurial/mercurial_1.0.1-5.1.dsc
mercurial_1.0.1-5.1_amd64.deb
  to pool/main/m/mercurial/mercurial_1.0.1-5.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated mercurial package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 03 Oct 2008 16:25:13 +0200
Source: mercurial
Binary: mercurial mercurial-common
Architecture: source all amd64
Version: 1.0.1-5.1
Distribution: unstable
Urgency: high
Maintainer: Python Applications Packaging Team <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description: 
 mercurial  - Scalable distributed version control system
 mercurial-common - Scalable distributed version control system (Common files)
Closes: 500781
Changes: 
 mercurial (1.0.1-5.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Honor allowpull configuration setting from hgrc on a repository clone to
     prevent information disclosure (CVE-2008-4297; Closes: #500781).
Checksums-Sha1: 
 c7e437c3f0bf9b21648edea716f9439613cb9eb3 1424 mercurial_1.0.1-5.1.dsc
 d40bae35f665d1c9329eb3a841c89e4e6bb74197 27009 mercurial_1.0.1-5.1.diff.gz
 0d388ea0617978782057cfbcda5d6d97d42c013f 476844 
mercurial-common_1.0.1-5.1_all.deb
 f0a1ed6aa66b352dabb90bf13719ed45001145de 93438 mercurial_1.0.1-5.1_amd64.deb
Checksums-Sha256: 
 98b4701fdfb5deb95d3ca26af655246292e02a433f3d97ed4b1974fc705fa549 1424 
mercurial_1.0.1-5.1.dsc
 5bffd7e5dd052e2fdf6365bde70829aa547e079fa51b7d40c84403197618dc73 27009 
mercurial_1.0.1-5.1.diff.gz
 8b636c8bae0fa5823b30ced7302cda6c5a76c62e13bfefc4a89e8a89ef1a5a64 476844 
mercurial-common_1.0.1-5.1_all.deb
 f5f8ad256dc724e33dc3817c293130c468fd5f2d37460c30860b9e99145efb0e 93438 
mercurial_1.0.1-5.1_amd64.deb
Files: 
 56eca9b1f9ae4e68a2712e2b9954fd86 1424 devel optional mercurial_1.0.1-5.1.dsc
 ab5b4a29776cd2ae44eb16c1d8b1b45b 27009 devel optional 
mercurial_1.0.1-5.1.diff.gz
 b67f1538d937751df454120758efaecd 476844 devel optional 
mercurial-common_1.0.1-5.1_all.deb
 52653ce57cebb4b67f8ebd2ce9419345 93438 devel optional 
mercurial_1.0.1-5.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjnSMMACgkQHYflSXNkfP+rjQCglHGYc76CDTkZml2AISoOY7fI
2bsAnAxQ/x1Jp/5KzR7SVR7R2JjOVDaX
=Xcbx
-----END PGP SIGNATURE-----



--- End Message ---

Reply via email to