Date: Mon, 17 Feb 2014 15:52:40 +0100 From: Tristan Cacqueray <tristan.cacqueray@...vance.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-005] Missing SSL certificate check in Python Swift client (CVE-2013-6396) OpenStack Security Advisory: 2014-005 CVE: CVE-2013-6396 Date: February 17, 2014 Title: Missing SSL certificate check in Python Swift client Reporter: Thomas Leaman (HP) Products: python-swiftclient Versions: 1.0 version up to 1.9.0 Description: Thomas Leaman from HP reported that the Python Swift client was failing to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in-the-middle attack and access the contents of the Swift client's communication with the server, including any used credentials. python-swiftclient fix (included in 2.0 release): https://review.openstack.org/#/c/69187 References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6396 https://bugs.launchpad.net/bugs/1199783 -- Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (556 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ