CVE-2018-1000132

NameCVE-2018-1000132
DescriptionMercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 4.5.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1331-1, DLA-1414-1, DLA-2293-1
NVD severitymedium
Debian Bugs892964

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mercurial (PTS)stretch4.0-1+deb9u1vulnerable
stretch (security)4.0-1+deb9u2fixed
buster4.8.2-1+deb10u1fixed
bullseye, sid5.6.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mercurialsourcewheezy2.2.2-4+deb7u7DLA-1331-1
mercurialsourcejessie3.1.2-2+deb8u5DLA-1414-1
mercurialsourcestretch4.0-1+deb9u2DLA-2293-1
mercurialsource(unstable)4.5.2-1892964

Notes

https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.5.1_.2F_4.5.2_.282018-03-06.29
https://www.mercurial-scm.org/repo/hg/rev/2ecb0fc535b1 (4.5.2)
Backports for older branches in https://hg.mozilla.org/users/gszorc_mozilla.com/hg
4.4: 4843835c835::7cf827e5f8af
4.3: db527ae12671::86f9a022ccb8

Search for package or bug name: Reporting problems