Date: Wed, 17 Sep 2014 21:35:31 +1000 From: Grant Murphy <gmurphy@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE request for vulnerability in OpenStack keystonemiddleware A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: TLS cert verification option not honoured in paste configs Reporter: Qin Zhao (IBM) Products: keystonemiddleware, python-keystoneclient Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.10.1 (python-keystoneclient) Description: Qin Zhao from IBM reported a vulnerability in keystonemiddleware (formerly shipped as python-keystoneclient). When the 'insecure' SSL option is set in a paste configuration file it is effectively ignored, regardless of its value. As a result certificate verification will be disabled, leaving TLS connections open to MITM attacks. All versions of keystonemiddleware with TLS settings configured via a paste.ini file are affected by this flaw. References: http://launchpad.net/bugs/1353315 Thanks in advance, -- Grant Murphy OpenStack Vulnerability Management Team [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ