Date: Wed, 19 Jun 2013 12:58:40 -0400 (EDT) From: Jan Lieskovsky <jlieskov@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org>, Cole Robinson <crobinso@...hat.com>, Florian Weimer <fweimer@...hat.com> Subject: [CVE identifier assignment notification] CVE-2013-2191 python-bugzilla: Does not verify Bugzilla server certificate Hello Kurt, Steve, vendors, It was found that python-bugzilla, a Python library for interacting with Bugzilla instances over XML-RPC functionality, did not perform X.509 certificate verification when using secured SSL connection. A man-in-the-middle (MiTM) attacker could use this flaw to spoof Bugzilla server via an arbitrary certificate. Credit: This issue was discovered by Florian Weimer of the Red Hat Product Security Team. CVE id: CVE-2013-2191 has been assigned to this issue Relevant upstream patch: https://git.fedorahosted.org/cgit/python-bugzilla.git/commit/?id=a782282ee479ba4cc1b8b1d89700ac630ba83eef References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2191 Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ