Date: Fri, 08 Oct 2010 17:07:02 +0200 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security <oss-security@...ts.openwall.com>, Bill Janssen <bill.janssen@...il.com>, Andreas Hasenack <ahasenack@...ra.com.br>, Mads Kiilerich <mads@...lerich.com> Subject: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Hello Steve, vendors, a security flaw was found in the way Mercurial handled subject Common Name field of the provided certificate (the check if the commonName in the received certificate matches the requested hostname was not performed). An attacker, able to get a carefully-crafted certificate signed by a Certificate Authority could use the certificate during a man-in-the-middle attack and potentially confuse Mercurial into accepting it by mistake. References:  http://mercurial.selenic.com/bts/issue2407  https://bugzilla.redhat.com/show_bug.cgi?id=641373  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598841 Upstream patch:  http://selenic.com/repo/hg-stable/diff/f2937d6492c5/mercurial/url.py According to  the true reason for this problem is the new python SSL module implementation:  http://bugs.python.org/issue1589  http://svn.python.org/view?view=rev&revision=85321 and as stated in:  http://bugs.python.org/issue1589#msg58472 it should be decision made by application designers, if the subject CN field will be checked despite of the python SSL module implementation. So could you allocate a CVE identifier for this issue(s)? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.