Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 08 Oct 2010 17:07:02 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security <oss-security@...ts.openwall.com>,
        Bill Janssen <bill.janssen@...il.com>,
        Andreas Hasenack <ahasenack@...ra.com.br>,
        Mads Kiilerich <mads@...lerich.com>
Subject: CVE Request -- Mercurial --Doesn't verify subject Common Name properly

Hello Steve, vendors,

   a security flaw was found in the way Mercurial handled subject
Common Name field of the provided certificate (the check
if the commonName in the received certificate matches the
requested hostname was not performed). An attacker, able
to get a carefully-crafted certificate signed by a Certificate
Authority could use the certificate during a man-in-the-middle
attack and potentially confuse Mercurial into accepting it by
mistake.

References:
[1] http://mercurial.selenic.com/bts/issue2407
[2] https://bugzilla.redhat.com/show_bug.cgi?id=641373
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598841
Upstream patch:
[4] http://selenic.com/repo/hg-stable/diff/f2937d6492c5/mercurial/url.py

According to [1] the true reason for this problem is the new python SSL
module implementation:
[5] http://bugs.python.org/issue1589
[6] http://svn.python.org/view?view=rev&revision=85321

and as stated in:
[7] http://bugs.python.org/issue1589#msg58472

it should be decision made by application designers, if the subject CN
field will be checked despite of the python SSL module implementation.

So could you allocate a CVE identifier for this issue(s)?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.