1. 1

Quoting the most interesting bits:

All versions of Mercurial prior to 4.5.2 have vulnerabilities in the HTTP server that allow permissions bypass to:

  • Perform writes on repositories that should be read-only
  • Perform reads on repositories that shouldn’t allow read access

The nature of the vulnerabilities is:

  • Wire protocol commands that didn’t explicitly declare their permissions had no permissions checking done. The web.{allow-pull, allow-push, deny_read, etc} config options governing access control were never consulted when running these commands. This allowed permissions bypass for impacted commands.
  • The batch wire protocol command did not list its permission requirements nor did it enforce permissions on individual sub-commands.