Date: Wed, 4 Mar 2015 13:14:15 -0500 From: Donald Stufft <donald@...fft.io> To: oss-security@...ts.openwall.com Subject: Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 > On Mar 4, 2015, at 12:55 PM, Kurt Seifried <kseifried@...hat.com> wrote: > > https://bugzilla.redhat.com/show_bug.cgi?id=1198740 > > Jan Bee of the Google Security Team reports: > > The /usr/sbin/rhnreg_ks fails to properly validate hostnames in > certificates. This can result in man in the middle attacks. > > === > > Please note that this issue cannot easily be exploited to cause any > significant damage to a system other then preventing registration from > taking place properly which the attacker would be able to do in any > event if the can man in the middle the connection. > > > > -- > Kurt Seifried -- Red Hat -- Product Security -- Cloud > PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 > Note: Python 2.7.9+ and 3.4.3+ will cause most apps like this to automatically start validating hostnames. It may be easier to backport those changes than to find every Python app that doesn’t check hostnames. --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ