Mercurial before 1.6.4 fails to verify the Common Name field of SSL certificates which allows remote attackers who acquire a certificate signed by a Certificate Authority to perform a man-in-the-middle attack.
The product does not validate, or incorrectly validates, a certificate.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Mercurial | Mercurial | * | 1.6.4 (excluding) |
Mercurial | Ubuntu | hardy | * |
Mercurial | Ubuntu | lucid | * |
Mercurial | Ubuntu | upstream | * |