Mercurial vulnerability? CVE-2010-4237
mads at kiilerich.com
Fri Dec 10 07:21:46 CST 2010
On 12/10/2010 12:27 PM, Thomas Arendsen Hein wrote:
> * Mads Kiilerich<mads at kiilerich.com> [20101209 14:21]:
>> Related or not, we still don't verify certificates when connecting
>> through http proxy.
>> works for plain 2.6 and 2.7 and doesn't regress on 2.4 and 2.5, but it
>> ended with
>> . Either someone should decide that we don't care about non-standard ssl
>> module (on 2.5), or someone who cares should fix it.
> Sorry, my usual priority interrupts.
> I tried using python 2.5 and the non-standard ssl module two days
> ago: No luck when pointing web.cacerts to ca-certificates.crt, it
> always yields SSL errors, no problems when pointing to a single CA
> cert or when using python 2.6.
> So I would say the general usefulness on python 2.5 is not that
> good, therefore supporting certificate checks through proxy is not
> important here either.
> So I'm happy with the patch as long as tests on python 2.5 do not
> fail and insecure https with and without proxy still works
I can fix test-https.t so it runs on 2.6+ only. (2.6+ is IMHO all we can
and will support when it comes to https stuff. It was pure coincidence
that it was run and worked on 2.5.)
But if I understand you correctly you _do_ see some issues with my patch
on 2.5 with the non-standard ssl?
Should we ignore that and take the fix for 2.6/2.7, or should we wait
for someone to fix it for 2.5 with non-standard ssl?
> (with a
> abort on default and warning if user overrides of course).
Sorry, I don't get that.
More information about the Mercurial-devel