oss-sec mailing list archives
CVE Request -- Mercurial --Doesn't verify subject Common Name properly
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 08 Oct 2010 17:07:02 +0200
Hello Steve, vendors, a security flaw was found in the way Mercurial handled subject Common Name field of the provided certificate (the check if the commonName in the received certificate matches the requested hostname was not performed). An attacker, able to get a carefully-crafted certificate signed by a Certificate Authority could use the certificate during a man-in-the-middle attack and potentially confuse Mercurial into accepting it by mistake. References: [1] http://mercurial.selenic.com/bts/issue2407 [2] https://bugzilla.redhat.com/show_bug.cgi?id=641373 [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598841 Upstream patch: [4] http://selenic.com/repo/hg-stable/diff/f2937d6492c5/mercurial/url.py According to [1] the true reason for this problem is the new python SSL module implementation: [5] http://bugs.python.org/issue1589 [6] http://svn.python.org/view?view=rev&revision=85321 and as stated in: [7] http://bugs.python.org/issue1589#msg58472 it should be decision made by application designers, if the subject CN field will be checked despite of the python SSL module implementation. So could you allocate a CVE identifier for this issue(s)? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- Mercurial --Doesn't verify subject Common Name properly Jan Lieskovsky (Oct 08)
- <Possible follow-ups>
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Josh Bressers (Oct 11)
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Marc Deslauriers (Nov 14)
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Steven M. Christey (Nov 15)
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Marc Deslauriers (Nov 16)
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Matthias Andree (Nov 17)
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly dave b (Nov 17)
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Marc Deslauriers (Nov 14)
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Ben Laurie (Nov 16)
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Ludwig Nussel (Nov 17)
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly dave b (Nov 17)