Date: Fri, 26 Sep 2014 08:30:45 +1000 From: Grant Murphy <gmurphy@...hat.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-030] TLS cert verification option not honoured in paste configs (CVE-2014-7144) OpenStack Security Advisory: 2014-030 CVE: CVE-2014-7144 Date: September 25, 2014 Title: TLS cert verification option not honoured in paste configs Reporter: Qin Zhao (IBM) Products: keystonemiddleware, python-keystoneclient Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.10.1 (python-keystoneclient) Description: Qin Zhao from IBM reported a vulnerability in keystonemiddleware (formerly shipped as python-keystoneclient). When the 'insecure' option is set in a paste configuration file it is effectively ignored, regardless of its value. As a result certificate verification will be disabled, leaving TLS connections open to MITM attacks. All versions of keystonemiddleware with TLS settings configured via a paste.ini file are affected by this flaw. keystonemiddleware fix: https://review.openstack.org/113191 python-keystoneclient fix: https://review.openstack.org/112232 Notes: These fixes are included in the keystonemiddleware 1.2.0 release and in the python-keystoneclient 0.11.0 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7144 https://launchpad.net/bugs/1353315 -- Grant Murphy OpenStack Vulnerability Management Team Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.