Mercurial vulnerability? CVE-2010-4237

Mads Kiilerich mads at kiilerich.com
Fri Dec 10 07:21:46 CST 2010


On 12/10/2010 12:27 PM, Thomas Arendsen Hein wrote:
> * Mads Kiilerich<mads at kiilerich.com>  [20101209 14:21]:
>> Related or not, we still don't verify certificates when connecting
>> through http proxy.
>> http://www.selenic.com/pipermail/mercurial-devel/2010-October/025774.html
>> works for plain 2.6 and 2.7 and doesn't regress on 2.4 and 2.5, but it
>> ended with
>> http://www.selenic.com/pipermail/mercurial-devel/2010-November/025808.html
>> . Either someone should decide that we don't care about non-standard ssl
>> module (on 2.5), or someone who cares should fix it.
>
> Sorry, my usual priority interrupts.
>
> I tried using python 2.5 and the non-standard ssl module two days
> ago: No luck when pointing web.cacerts to ca-certificates.crt, it
> always yields SSL errors, no problems when pointing to a single CA
> cert or when using python 2.6.
>
> So I would say the general usefulness on python 2.5 is not that
> good, therefore supporting certificate checks through proxy is not
> important here either.
>
> So I'm happy with the patch as long as tests on python 2.5 do not
> fail and insecure https with and without proxy still works

I can fix test-https.t so it runs on 2.6+ only. (2.6+ is IMHO all we can 
and will support when it comes to https stuff. It was pure coincidence 
that it was run and worked on 2.5.)

But if I understand you correctly you _do_ see some issues with my patch 
on 2.5 with the non-standard ssl?

Should we ignore that and take the fix for 2.6/2.7, or should we wait 
for someone to fix it for 2.5 with non-standard ssl?

> (with a
> abort on default and warning if user overrides of course).

Sorry, I don't get that.

/Mads


More information about the Mercurial-devel mailing list