Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Sep 2014 21:35:31 +1000
From: Grant Murphy <gmurphy@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request for vulnerability in OpenStack keystonemiddleware

A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although an
advisory was not sent yet.

Title: TLS cert verification option not honoured in paste configs
Reporter: Qin Zhao (IBM)
Products: keystonemiddleware, python-keystoneclient
Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.10.1
(python-keystoneclient)

Description:
Qin Zhao from IBM reported a vulnerability in keystonemiddleware (formerly
shipped as python-keystoneclient). When the 'insecure' SSL option is set in 
a paste configuration file it is effectively ignored, regardless of its 
value.  As a result certificate verification will be disabled, leaving TLS
connections open to MITM attacks. All versions of keystonemiddleware with
TLS settings configured via a paste.ini file are affected by this flaw.

References:
http://launchpad.net/bugs/1353315


Thanks in advance,

--
Grant Murphy
OpenStack Vulnerability Management Team


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ