oss-sec mailing list archives

Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly

From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Wed, 17 Nov 2010 09:28:41 +0100

Ben Laurie wrote:

On 15 November 2010 21:58, Steven M. Christey <coley () linus mitre org> wrote:

Ouch, this is painful for a number of reasons.

Maybe Python "should" get the CVE, but the decision to push the issue to
application developers means that those developers will each have to provide
fixes, and software consumers will have to track these related vulns at the
application level.


It would certainly be safer if Python did the test by default and
applications had to explicitly turn it off...


Python doesn't verify certificates by default either IIRC. I guess python
simply follows openssl (mis)behavior here. Well, lame excuse anyways.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Current thread:

CVE Request -- Mercurial --Doesn't verify subject Common Name properly Jan Lieskovsky (Oct 08)
- <Possible follow-ups>
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Josh Bressers (Oct 11)
  - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Marc Deslauriers (Nov 14)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Steven M. Christey (Nov 15)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Marc Deslauriers (Nov 16)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Matthias Andree (Nov 17)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly dave b (Nov 17)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Ben Laurie (Nov 16)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Ludwig Nussel (Nov 17)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly dave b (Nov 17)