CVE Request -- Mercurial --Doesn't verify subject Common Name properly

[Jan Lieskovsky <jlieskov () redhat com>]

Hello Steve, vendors,

  a security flaw was found in the way Mercurial handled subject
Common Name field of the provided certificate (the check
if the commonName in the received certificate matches the
requested hostname was not performed). An attacker, able
to get a carefully-crafted certificate signed by a Certificate
Authority could use the certificate during a man-in-the-middle
attack and potentially confuse Mercurial into accepting it by
mistake.

References:
[1] http://mercurial.selenic.com/bts/issue2407
[2] https://bugzilla.redhat.com/show_bug.cgi?id=641373
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598841
Upstream patch:
[4] http://selenic.com/repo/hg-stable/diff/f2937d6492c5/mercurial/url.py

According to [1] the true reason for this problem is the new python SSL
module implementation:
[5] http://bugs.python.org/issue1589
[6] http://svn.python.org/view?view=rev&revision=85321

and as stated in:
[7] http://bugs.python.org/issue1589#msg58472

it should be decision made by application designers, if the subject CN
field will be checked despite of the python SSL module implementation.

So could you allocate a CVE identifier for this issue(s)?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team