Mercurial vulnerability? CVE-2010-4237

Mads Kiilerich mads at kiilerich.com
Thu Dec 9 07:20:54 CST 2010 

On 12/09/2010 09:44 AM, Dirkjan Ochtman wrote:
> Without wanting to be alarmist, there's a note in this week's LWN
> about security issue in Mercurial, found by Novell.
>
> https://bugzilla.novell.com/show_bug.cgi?id=645293
>
> This appears to have something to do with our lacking checks on SSL
> certificates. I didn't find anything in the WhatsNew, so I wonder if
> this was addressed already at some point?

"Dave" found the issue and made noise about it, we released the fix in 
1.6.4 two days after, and Red Hat requested a CVE while we were 
sprinting in Chicago. CVE-2010-4237 was mentioned informally (AFAIK) on 
oss-security 1½ month after, but according to 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4237 it isn't 
official yet, so there haven't been much news to report to the list.

Red Hat is tracking it at 
https://bugzilla.redhat.com/show_bug.cgi?id=641373 .

Note that the user only gets https validation if web.cacerts is 
configured/specified. That is clearly documented (even though the 
setting confusingly is hiding among web _server_ options - it would make 
sense to me to introduce ui.cacerts instead).

I think we should be "secure" by default and help the user to know when 
he is "insecure". We could:

1. issue a warning whenever https is used without cacerts

2. encourage packagers to configure cacerts by default - for Fedora that 
could be by creating a /etc/mercurial/hgrc.d/cacerts.rc with 
'[web]\ncacerts=/etc/pki/tls/certs/ca-bundle.crt'. People who rely on 
self-signed certificates will probably experience a regression until 
they configure their system to trust their own certificates.

Related or not, we still don't verify certificates when connecting 
through http proxy. 
http://www.selenic.com/pipermail/mercurial-devel/2010-October/025774.html works 
for plain 2.6 and 2.7 and doesn't regress on 2.4 and 2.5, but it ended 
with 
http://www.selenic.com/pipermail/mercurial-devel/2010-November/025808.html 
. Either someone should decide that we don't care about non-standard ssl 
module (on 2.5), or someone who cares should fix it.

/Mads

More information about the Mercurial-devel mailing list