Debian Bug report logs -
#892964
mercurial: CVE-2018-1000132
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 14 Mar 2018 21:33:01 UTC
Severity: grave
Tags: security, upstream
Found in version mercurial/3.1.2-1
Fixed in version 4.5.2-1
Done: Julien Cristau <jcristau@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
:
Bug#892964
; Package src:mercurial
.
(Wed, 14 Mar 2018 21:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Python Applications Packaging Team <python-apps-team@lists.alioth.debian.org>
.
(Wed, 14 Mar 2018 21:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mercurial
Version: 3.1.2-1
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for mercurial.
CVE-2018-1000132[0]:
| Mercurial version 4.5 and earlier contains a Incorrect Access Control
| (CWE-285) vulnerability in Protocol server that can result in
| Unauthorized data access. This attack appear to be exploitable via
| network connectivity. This vulnerability appears to have been fixed in
| 4.5.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000132
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000132
[1] https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29
Regards,
Salvatore
Reply sent
to Julien Cristau <jcristau@debian.org>
:
You have taken responsibility.
(Wed, 21 Mar 2018 13:51:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Wed, 21 Mar 2018 13:51:13 GMT) (full text, mbox, link).
Message #10 received at 892964-done@bugs.debian.org (full text, mbox, reply):
Source: mercurial
Version: 4.5.2-1
Apologies for not including this in the package changelog. The 4.5.2
release (just uploaded) includes fixes for these security bugs.
Cheers,
Julien
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:35:23 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.