DescriptionMercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 4.5.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1331-1, DLA-1414-1
NVD severitymedium (attack range: remote)
Debian Bugs892964

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mercurial (PTS)jessie3.1.2-2+deb8u4vulnerable
jessie (security)3.1.2-2+deb8u6fixed
stretch (security), stretch4.0-1+deb9u1vulnerable
buster, sid4.7.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Notes (4.5.2)
Backports for older branches in
4.4: 4843835c835::7cf827e5f8af
4.3: db527ae12671::86f9a022ccb8

Search for package or bug name: Reporting problems