Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenStack: Announce

[OSSA 2013-018] Missing SSL certificate check in Python glance client (CVE-2013-4111)

  

 
OpenStack announce RSS feed   Index | Next | Previous | View Threaded


thierry at openstack

Jul 30, 2013, 7:17 AM

Post #1 of 1 (34 views)
Permalink
[OSSA 2013-018] Missing SSL certificate check in Python glance client (CVE-2013-4111)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-018
CVE: CVE-2013-4111
Date: July 30, 2013
Title: Missing SSL certificate check in Python glance client
Reporter: Thomas Leaman (HP)
Products: python-glanceclient
Affects: All versions

Description:
Thomas Leaman from HP reported that the Python Glance client was
failing to properly check certificates during the establishment of
HTTPS connections. A remote attacker with access over segments of the
network between client and server could potentially set up a man-in
the-middle attack and access the contents of the Glance client request
(or response).

python-glanceclient fix (will be included in a future release):
https://review.openstack.org/#/c/33464/

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4111
https://bugs.launchpad.net/python-glanceclient/+bug/1192229

Regards,

- --
Thierry Carrez
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJR98rhAAoJEFB6+JAlsQQjm30P/3zp1YGzDb30pSOcfKz683VR
KGYEoRUx3wPLMCC5Vzl4y63xwrl7nrarKNj6VeyU/JUzBVhlIa/MHgIkrBzNDPkj
9yewE6ITihnbRfYIp/u+QnXkX0IgNsfeLPL5DW6qgV4aKRVZQdz0TcTjbQrhDQiV
iEVEEq1lZVMwP5Oah38YVxWg5EmL+9vmMqfkcXpWsMa1I2yWcw0YN5m4QqHw5BcD
GGeagHDZIQ+nxzpWd67E/OV946uHrhshCRZq+o3lZoGSv1C33bpkcDoruskDYvUm
gKtwD63/ifHmXnti8TVNaX9D80C2NdSPzAUFNa/Akht5b/VIzuhqvUDECernDckx
UBOYjXsTFVfFkqFYLE+Xderm6iTAX4mC8yCdIEONLRVdZGNMWk4WVPjJ4vhpUUNA
uTaFq+csTbwH/DttbxlniiEbJAhoTPAHDKmwzwStTBVIc6mbxeF72vx9GBV6Hx9x
7qA+Hn5otlSWt8WbqU6K14ypFQRwjtswfY38ZZ9YkAQFFnI/dEUWp5P/Ld8JaiiQ
RQU6h/m3crdaeoATK020TK2QZBjUAVgLARFNAL2UT3IwfmZixJAsuWn5QfGPHojI
PYjdutW1VlBhL8ak8oN/Q2pzkho/ufR9czSMGN35X3U/7db87OrG/0gz8Rp5FZVH
diSr4/bWdzDrbfkY/sCI
=v33d
-----END PGP SIGNATURE-----

_______________________________________________
OpenStack-announce mailing list
OpenStack-announce [at] lists
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-announce

OpenStack announce RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.