Mercurial vulnerability? CVE-2010-4237
Mads Kiilerich
mads at kiilerich.com
Thu Dec 9 07:20:54 CST 2010
On 12/09/2010 09:44 AM, Dirkjan Ochtman wrote:
> Without wanting to be alarmist, there's a note in this week's LWN
> about security issue in Mercurial, found by Novell.
>
> https://bugzilla.novell.com/show_bug.cgi?id=645293
>
> This appears to have something to do with our lacking checks on SSL
> certificates. I didn't find anything in the WhatsNew, so I wonder if
> this was addressed already at some point?
"Dave" found the issue and made noise about it, we released the fix in
1.6.4 two days after, and Red Hat requested a CVE while we were
sprinting in Chicago. CVE-2010-4237 was mentioned informally (AFAIK) on
oss-security 1½ month after, but according to
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4237 it isn't
official yet, so there haven't been much news to report to the list.
Red Hat is tracking it at
https://bugzilla.redhat.com/show_bug.cgi?id=641373 .
Note that the user only gets https validation if web.cacerts is
configured/specified. That is clearly documented (even though the
setting confusingly is hiding among web _server_ options - it would make
sense to me to introduce ui.cacerts instead).
I think we should be "secure" by default and help the user to know when
he is "insecure". We could:
1. issue a warning whenever https is used without cacerts
2. encourage packagers to configure cacerts by default - for Fedora that
could be by creating a /etc/mercurial/hgrc.d/cacerts.rc with
'[web]\ncacerts=/etc/pki/tls/certs/ca-bundle.crt'. People who rely on
self-signed certificates will probably experience a regression until
they configure their system to trust their own certificates.
Related or not, we still don't verify certificates when connecting
through http proxy.
http://www.selenic.com/pipermail/mercurial-devel/2010-October/025774.html works
for plain 2.6 and 2.7 and doesn't regress on 2.4 and 2.5, but it ended
with
http://www.selenic.com/pipermail/mercurial-devel/2010-November/025808.html
. Either someone should decide that we don't care about non-standard ssl
module (on 2.5), or someone who cares should fix it.
/Mads
More information about the Mercurial-devel
mailing list