oss-sec mailing list archives

Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly

From: dave b <db.pub.mail () gmail com>
Date: Wed, 17 Nov 2010 20:29:28 +1100

On 17 November 2010 19:40, Matthias Andree <matthias.andree () gmx de> wrote:

Am 16.11.2010 17:02, schrieb Marc Deslauriers:

Thanks for the clarification. Here are some more projects that need CVEs
for this issue:

libcloud:
https://issues.apache.org/jira/browse/LIBCLOUD-55
https://bugs.launchpad.net/ubuntu/+source/libcloud/+bug/675217

Checkbox:
https://bugs.launchpad.net/ubuntu/+source/checkbox/+bug/625076

Bazaar:
https://bugs.edge.launchpad.net/bzr/+bug/651161


In the past, Charles Cazabon's getmail would have had to be added to the
list, but he didn't care and pointed fingers at the Python library
developers, and I'm not sure what the current shape of getmail 4 is, and
don't care sufficiently to look it up.

Getmail used to happily connect to sites that have expired certs, for
instance.


This is already rather boring. Can we keep this about what has a
problem that people actually use and would be problematic (at risk) if
the software was subject to a man in the middled attack.

I don't know about getmail, but offlineimap also has 'this problem'.
See https://bugs.launchpad.net/ubuntu/+source/offlineimap/+bug/675120.

Really 'the issue' is two fold:
1. there is software which *should* check that the ssl connection is
secure but don't even bother to do any kind of checking. (e.g.
offlineimap)
2. then is software which attempts to do the checks that the
developers thought were sufficient but really were not enough (e.g.
bzr, mercurial)

If python blocks these problems in the ssl module and enforces the
checks(all of them *that* it should be doing) by default in the
various http (and other modules) then we can stop 'guessing' at what
may have a problem.
I would also like it if python did not have sslv2 enabled by default
in the ssl module methods. [0]
However, with openssl changing, this will also change afaik. [1]

I have created a new python issue at http://bugs.python.org/issue10442.

[0] - http://seclists.org/fulldisclosure/2010/Nov/138
[1] - http://bugs.python.org/issue8322

--
Suspicion always haunts the guilty mind.                -- Wm. Shakespeare

Current thread:

CVE Request -- Mercurial --Doesn't verify subject Common Name properly Jan Lieskovsky (Oct 08)
- <Possible follow-ups>
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Josh Bressers (Oct 11)
  - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Marc Deslauriers (Nov 14)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Steven M. Christey (Nov 15)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Marc Deslauriers (Nov 16)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Matthias Andree (Nov 17)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly dave b (Nov 17)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Ben Laurie (Nov 16)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Ludwig Nussel (Nov 17)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly dave b (Nov 17)