Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 Mar 2015 13:14:15 -0500
From: Donald Stufft <donald@...fft.io>
To: oss-security@...ts.openwall.com
Subject: Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777


> On Mar 4, 2015, at 12:55 PM, Kurt Seifried <kseifried@...hat.com> wrote:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1198740
> 
> Jan Bee of the Google Security Team reports:
> 
> The /usr/sbin/rhnreg_ks fails to properly validate hostnames in
> certificates. This can result in man in the middle attacks.
> 
> ===
> 
> Please note that this issue cannot easily be exploited to cause any
> significant damage to a system other then preventing registration from
> taking place properly which the attacker would be able to do in any
> event if the can man in the middle the connection.
> 
> 
> 
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> 

Note: Python 2.7.9+ and 3.4.3+ will cause most apps like this to
automatically start validating hostnames. It may be easier to backport
those changes than to find every Python app that doesn’t check hostnames.

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ