Mercurial vulnerability? CVE-2010-4237

Mads Kiilerich mads at
Thu Dec 9 07:20:54 CST 2010

On 12/09/2010 09:44 AM, Dirkjan Ochtman wrote:
> Without wanting to be alarmist, there's a note in this week's LWN
> about security issue in Mercurial, found by Novell.
> This appears to have something to do with our lacking checks on SSL
> certificates. I didn't find anything in the WhatsNew, so I wonder if
> this was addressed already at some point?

"Dave" found the issue and made noise about it, we released the fix in 
1.6.4 two days after, and Red Hat requested a CVE while we were 
sprinting in Chicago. CVE-2010-4237 was mentioned informally (AFAIK) on 
oss-security 1½ month after, but according to it isn't 
official yet, so there haven't been much news to report to the list.

Red Hat is tracking it at .

Note that the user only gets https validation if web.cacerts is 
configured/specified. That is clearly documented (even though the 
setting confusingly is hiding among web _server_ options - it would make 
sense to me to introduce ui.cacerts instead).

I think we should be "secure" by default and help the user to know when 
he is "insecure". We could:

1. issue a warning whenever https is used without cacerts

2. encourage packagers to configure cacerts by default - for Fedora that 
could be by creating a /etc/mercurial/hgrc.d/cacerts.rc with 
'[web]\ncacerts=/etc/pki/tls/certs/ca-bundle.crt'. People who rely on 
self-signed certificates will probably experience a regression until 
they configure their system to trust their own certificates.

Related or not, we still don't verify certificates when connecting 
through http proxy. works 
for plain 2.6 and 2.7 and doesn't regress on 2.4 and 2.5, but it ended 
. Either someone should decide that we don't care about non-standard ssl 
module (on 2.5), or someone who cares should fix it.


More information about the Mercurial-devel mailing list