Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Nov 2010 09:28:41 +0100
From: Ludwig Nussel <ludwig.nussel@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly

Ben Laurie wrote:
> On 15 November 2010 21:58, Steven M. Christey <coley@...us.mitre.org> wrote:
> > Ouch, this is painful for a number of reasons.
> >
> > Maybe Python "should" get the CVE, but the decision to push the issue to
> > application developers means that those developers will each have to provide
> > fixes, and software consumers will have to track these related vulns at the
> > application level.
> 
> It would certainly be safer if Python did the test by default and
> applications had to explicitly turn it off...

Python doesn't verify certificates by default either IIRC. I guess python
simply follows openssl (mis)behavior here. Well, lame excuse anyways.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.