oss-sec mailing list archives

Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly

From: Ben Laurie <benl () google com>
Date: Tue, 16 Nov 2010 16:10:24 +0000

On 15 November 2010 21:58, Steven M. Christey <coley () linus mitre org> wrote:


Ouch, this is painful for a number of reasons.

Maybe Python "should" get the CVE, but the decision to push the issue to
application developers means that those developers will each have to provide
fixes, and software consumers will have to track these related vulns at the
application level.


It would certainly be safer if Python did the test by default and
applications had to explicitly turn it off...


(One could make the same argument about fundamental design flaws in
standards-based protocols, for which CVE generally assigns a single
identifier, but those issues generally feel "different" to me.  Quite
logical, I know...)

Anyway, I think we need to assign separate CVEs for each affected product as
an instance of "an implementation not working around security-relevant
design limitations of APIs" (which is consistent with the approach that CVE
has taken with respect to the DLL hijacking / insecure library loading
issues of the past couple months.)

I've been tempted to start assigning a single CVE to design limitations such
as this Python certificate issue, and (where needed) independent CVEs for
affected implementations, but I'm not feeling adventurous enough yet. it
kind of goes against the idea where each vuln has only one CVE associated
with it.

So - use CVE-2010-4237 for the issue in Mercurial, and feel free to consult
with me privately for the other issues if you wish.

- Steve



On Sun, 14 Nov 2010, Marc Deslauriers wrote:

On Mon, 2010-10-11 at 15:48 -0400, Josh Bressers wrote:


Steve,

Can I defer this one to MITRE? My initial thought is that python should
get
the ID, but they seem to want to push it up to the application
developers,
but they also added some functionality in
http://svn.python.org/view?view=rev&revision=85321

Is there a past precedent for this?


Has any decision been made regarding CVE assignment for this? I've found
some more python applications that aren't validating ssl certs, and am
waiting to know how this is going to be handled.

Thanks,

Marc.


--
Marc Deslauriers
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/

Current thread:

CVE Request -- Mercurial --Doesn't verify subject Common Name properly Jan Lieskovsky (Oct 08)
- <Possible follow-ups>
- Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Josh Bressers (Oct 11)
  - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Marc Deslauriers (Nov 14)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Steven M. Christey (Nov 15)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Marc Deslauriers (Nov 16)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Matthias Andree (Nov 17)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly dave b (Nov 17)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Ben Laurie (Nov 16)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly Ludwig Nussel (Nov 17)
    - Re: CVE Request -- Mercurial --Doesn't verify subject Common Name properly dave b (Nov 17)