Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 17 Feb 2014 15:52:40 +0100
From: Tristan Cacqueray <tristan.cacqueray@...vance.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2014-005] Missing SSL certificate check in Python Swift client
 (CVE-2013-6396)

OpenStack Security Advisory: 2014-005
CVE: CVE-2013-6396
Date: February 17, 2014
Title: Missing SSL certificate check in Python Swift client
Reporter: Thomas Leaman (HP)
Products: python-swiftclient
Versions: 1.0 version up to 1.9.0

Description:
Thomas Leaman from HP reported that the Python Swift client was failing
to properly check certificates during the establishment of HTTPS
connections. A remote attacker with access over segments of the network
between client and server could potentially set up a man-in-the-middle
attack and access the contents of the Swift client's communication with
the server, including any used credentials.

python-swiftclient fix (included in 2.0 release):
https://review.openstack.org/#/c/69187

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6396
https://bugs.launchpad.net/bugs/1199783

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team


Download attachment "signature.asc" of type "application/pgp-signature" (556 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.