Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <99c89101-3138-4cb5-a193-c92250736aab@cleal.org>
Date: Tue, 4 Apr 2017 08:06:14 +0100
From: Dominic Cleal <dominic@...al.org>
To: oss-security@...ts.openwall.com
Cc: foreman-security@...glegroups.com
Subject: CVE-2017-2667: Hammer CLI SSL certificate verification disabled

CVE-2017-2667: SSL/HTTPS server certificates are not verified by default
in Hammer CLI

Hammer CLI, a REST API-based CLI for Foreman, initiated HTTPS
connections via the apipie-bindings and rest-client libraries without
verifying the SSL certificate presented by the server. This could allow
for man-in-the-middle attack.

This issue was reported by Tomas Strachota.

Affects all known Hammer CLI versions
Fix released in Hammer CLI 0.10.0

Patch:
https://github.com/theforeman/hammer-cli/commit/74b926ae24f47f1d93b778e06b64935e57b60e33

More information:
https://theforeman.org/security.html#2017-2667
http://projects.theforeman.org/issues/19033
https://theforeman.org

-- 
Dominic Cleal
dominic@...al.org






Download attachment "signature.asc" of type "application/pgp-signature" (210 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.