Mercurial vulnerability? CVE-2010-4237
mads at kiilerich.com
Thu Dec 9 07:20:54 CST 2010
On 12/09/2010 09:44 AM, Dirkjan Ochtman wrote:
> Without wanting to be alarmist, there's a note in this week's LWN
> about security issue in Mercurial, found by Novell.
> This appears to have something to do with our lacking checks on SSL
> certificates. I didn't find anything in the WhatsNew, so I wonder if
> this was addressed already at some point?
"Dave" found the issue and made noise about it, we released the fix in
1.6.4 two days after, and Red Hat requested a CVE while we were
sprinting in Chicago. CVE-2010-4237 was mentioned informally (AFAIK) on
oss-security 1½ month after, but according to
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4237 it isn't
official yet, so there haven't been much news to report to the list.
Red Hat is tracking it at
Note that the user only gets https validation if web.cacerts is
configured/specified. That is clearly documented (even though the
setting confusingly is hiding among web _server_ options - it would make
sense to me to introduce ui.cacerts instead).
I think we should be "secure" by default and help the user to know when
he is "insecure". We could:
1. issue a warning whenever https is used without cacerts
2. encourage packagers to configure cacerts by default - for Fedora that
could be by creating a /etc/mercurial/hgrc.d/cacerts.rc with
'[web]\ncacerts=/etc/pki/tls/certs/ca-bundle.crt'. People who rely on
self-signed certificates will probably experience a regression until
they configure their system to trust their own certificates.
Related or not, we still don't verify certificates when connecting
through http proxy.
for plain 2.6 and 2.7 and doesn't regress on 2.4 and 2.5, but it ended
. Either someone should decide that we don't care about non-standard ssl
module (on 2.5), or someone who cares should fix it.
More information about the Mercurial-devel