Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 17 Feb 2014 15:52:40 +0100
From: Tristan Cacqueray <>
Subject: [OSSA 2014-005] Missing SSL certificate check in Python Swift client

OpenStack Security Advisory: 2014-005
CVE: CVE-2013-6396
Date: February 17, 2014
Title: Missing SSL certificate check in Python Swift client
Reporter: Thomas Leaman (HP)
Products: python-swiftclient
Versions: 1.0 version up to 1.9.0

Thomas Leaman from HP reported that the Python Swift client was failing
to properly check certificates during the establishment of HTTPS
connections. A remote attacker with access over segments of the network
between client and server could potentially set up a man-in-the-middle
attack and access the contents of the Swift client's communication with
the server, including any used credentials.

python-swiftclient fix (included in 2.0 release):


Tristan Cacqueray
OpenStack Vulnerability Management Team

Download attachment "signature.asc" of type "application/pgp-signature" (556 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ