Date: Mon, 17 Feb 2014 15:52:40 +0100 From: Tristan Cacqueray <tristan.cacqueray@...vance.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-005] Missing SSL certificate check in Python Swift client (CVE-2013-6396) OpenStack Security Advisory: 2014-005 CVE: CVE-2013-6396 Date: February 17, 2014 Title: Missing SSL certificate check in Python Swift client Reporter: Thomas Leaman (HP) Products: python-swiftclient Versions: 1.0 version up to 1.9.0 Description: Thomas Leaman from HP reported that the Python Swift client was failing to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in-the-middle attack and access the contents of the Swift client's communication with the server, including any used credentials. python-swiftclient fix (included in 2.0 release): https://review.openstack.org/#/c/69187 References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6396 https://bugs.launchpad.net/bugs/1199783 -- Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (556 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.