Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 17 Feb 2014 15:52:40 +0100
From: Tristan Cacqueray <tristan.cacqueray@...vance.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2014-005] Missing SSL certificate check in Python Swift client
 (CVE-2013-6396)

OpenStack Security Advisory: 2014-005
CVE: CVE-2013-6396
Date: February 17, 2014
Title: Missing SSL certificate check in Python Swift client
Reporter: Thomas Leaman (HP)
Products: python-swiftclient
Versions: 1.0 version up to 1.9.0

Description:
Thomas Leaman from HP reported that the Python Swift client was failing
to properly check certificates during the establishment of HTTPS
connections. A remote attacker with access over segments of the network
between client and server could potentially set up a man-in-the-middle
attack and access the contents of the Swift client's communication with
the server, including any used credentials.

python-swiftclient fix (included in 2.0 release):
https://review.openstack.org/#/c/69187

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6396
https://bugs.launchpad.net/bugs/1199783

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ