Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 19 Jun 2013 12:58:40 -0400 (EDT)
From: Jan Lieskovsky <>
Cc: "Steven M. Christey" <>,
        Cole Robinson <>,
        Florian Weimer <>
Subject: [CVE identifier assignment notification] CVE-2013-2191
 python-bugzilla: Does not verify Bugzilla server certificate

Hello Kurt, Steve, vendors,

  It was found that python-bugzilla, a Python library for interacting with Bugzilla
instances over XML-RPC functionality, did not perform X.509 certificate verification
when using secured SSL connection. A man-in-the-middle (MiTM) attacker could use this
flaw to spoof Bugzilla server via an arbitrary certificate.

Credit: This issue was discovered by Florian Weimer of the Red Hat Product Security Team.

CVE id: CVE-2013-2191 has been assigned to this issue

Relevant upstream patch:


Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ