Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 30 Jul 2013 16:17:41 +0200
From: Thierry Carrez <thierry@...nstack.org>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: [OSSA 2013-018] Missing SSL certificate check in Python glance client
 (CVE-2013-4111)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-018
CVE: CVE-2013-4111
Date: July 30, 2013
Title: Missing SSL certificate check in Python glance client
Reporter: Thomas Leaman (HP)
Products: python-glanceclient
Affects: All versions

Description:
Thomas Leaman from HP reported that the Python Glance client was
failing to properly check certificates during the establishment of
HTTPS connections. A remote attacker with access over segments of the
network between client and server could potentially set up a man-in
the-middle attack and access the contents of the Glance client request
(or response).

python-glanceclient fix (will be included in a future release):
https://review.openstack.org/#/c/33464/

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4111
https://bugs.launchpad.net/python-glanceclient/+bug/1192229

Regards,

- -- 
Thierry Carrez
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJR98sFAAoJEFB6+JAlsQQj0DcP/0qpdfzkReydoNU+OcR4HzJp
mO/jlyiieX9PRjkgDRaOrqA8pyA2QAwb9JUGNXWA7MRBsWQRlWTgkT38bMU///YK
vq1Q1UWIupPyOaMGZRW4Vmc1DN0vEtfmqwImj3tWWAdXwO/AaIo76HoAFLjOHV0/
dg8bsXm7fAS8UHFqFpLVNpgLFqm7TIFeG2sV/efQQkTZxy2txiqV/LFf7EFFF8NL
aPPrgrORGbopj1HMV4PcZ2DHniHyYviMUDnXpUhtCw+T6G/RINi6CsaBdzmoyr09
d+XHV717FLPS1eR4gJmdOiLTwf9SIr/4ElAeUba+3CbPaYmDN5Lc3MFXtnXkGxXl
+qaZLE4VLAs6eTVTHFzCFXjKsiTXEVWJ/sFBWtUWnaM/ulunR7COPgrfi2R4zU/R
mkd0nFwHINPqDH4UPzgOw36cHBLPuKU5FNvXwk7e1yUm7aeV3cCr5to9b19WdX/Z
xn31G6ZyhVD+Mnb6qbgpC9bzH/qE+/I6MFI7EOWHZbszxxDdWfz6KJZEt+/razoJ
ljlPEP6cGeuWTj0ZHaTGhzbI4lTjTdgK8G7Rfn08X+SkuwbJL1+39YSudqS0rwbW
Sawx+H+tBd2NVf2ES0xwzuVElfl3QD6P0HW1vR4FtnxCSxKPppiJ3yrJofJNv9ub
tIRMIhF5d0T5V/zkQk0z
=YsWI
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.