Ubuntu
mercurial package

cacerts.rc file not included in amd64 builds

Bug #1255967 reported by Peter Russell
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
mercurial (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

The file /etc/mercurial/hgrc.d/cacerts.rc is not being included in the amd64 builds of mercurial on Saucy (13.10 I think).

This leads to SSL certificates not being checked when cloning repositories over HTTPS - as Mercurial doesn't know where to find a set of trusted certificates. Mercurial presents a warning like this:

"warning: www.mydomainname.com certificate with fingerprint e1:0e:46:81:37:20:33:aa:42:c0:98:d7:e9:7f:c6:19:7a:ee:d5:37 not verified (check hostfingerprints or web.cacerts config setting)"

Depending on the network the traffic is going across, this could allow MITM attacks to go un-noticed.

You can compare the files in the two versions of the packages at

http://packages.ubuntu.com/saucy/amd64/mercurial/filelist

and

http://packages.ubuntu.com/saucy/i386/mercurial/filelist

Peter Russell (qwertyface)
information type: Private Security → Public Security
Revision history for this message
Quinn Balazs (qbalazs) wrote :

Yeah, /etc/mercurial/hgrc.d/cacerts.rc which would provide an idea what certificates were trusted was lost in Saucy AMD64. Compare http://packages.ubuntu.com/raring/amd64/mercurial/filelist to http://packages.ubuntu.com/saucy/amd64/mercurial/filelist.

Changed in mercurial (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.