Mercurial vulnerability? CVE-2010-4237

Thomas Arendsen Hein thomas at
Fri Dec 10 05:27:12 CST 2010

* Mads Kiilerich <mads at> [20101209 14:21]:
> I think we should be "secure" by default and help the user to know when  
> he is "insecure". We could:
> 1. issue a warning whenever https is used without cacerts


> 2. encourage packagers to configure cacerts by default - for Fedora that  
> could be by creating a /etc/mercurial/hgrc.d/cacerts.rc with  
> '[web]\ncacerts=/etc/pki/tls/certs/ca-bundle.crt'. People who rely on  
> self-signed certificates will probably experience a regression until  
> they configure their system to trust their own certificates.

/etc/ssl/certs/ca-certificates.crt on Debian, since squeeze (6.0)
there is official documentation on how to include your own CAs in
this, but a similar way already works in lenny (5.0).

> Related or not, we still don't verify certificates when connecting  
> through http proxy.  
> works for plain 2.6 and 2.7 and doesn't regress on 2.4 and 2.5, but it 
> ended with  
> . Either someone should decide that we don't care about non-standard ssl  
> module (on 2.5), or someone who cares should fix it.

Sorry, my usual priority interrupts.

I tried using python 2.5 and the non-standard ssl module two days
ago: No luck when pointing web.cacerts to ca-certificates.crt, it
always yields SSL errors, no problems when pointing to a single CA
cert or when using python 2.6.

So I would say the general usefulness on python 2.5 is not that
good, therefore supporting certificate checks through proxy is not
important here either.

So I'm happy with the patch as long as tests on python 2.5 do not
fail and insecure https with and without proxy still works (with a
abort on default and warning if user overrides of course).


thomas at - - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

More information about the Mercurial-devel mailing list