CVE-2018-1000132

NameCVE-2018-1000132
DescriptionMercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 4.5.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1331-1, DLA-1414-1, DLA-2293-1
Debian Bugs892964

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mercurial (PTS)bullseye5.6.1-4fixed
bookworm6.3.2-1fixed
trixie, sid6.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mercurialsourcewheezy2.2.2-4+deb7u7DLA-1331-1
mercurialsourcejessie3.1.2-2+deb8u5DLA-1414-1
mercurialsourcestretch4.0-1+deb9u2DLA-2293-1
mercurialsource(unstable)4.5.2-1892964

Notes

https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29
https://www.mercurial-scm.org/repo/hg/rev/2ecb0fc535b1 (4.5.2)
Backports for older branches in https://hg.mozilla.org/users/gszorc_mozilla.com/hg
4.4: 4843835c835::7cf827e5f8af
4.3: db527ae12671::86f9a022ccb8

Search for package or bug name: Reporting problems