Date: Tue, 4 Apr 2017 08:06:14 +0100 From: Dominic Cleal <dominic@...al.org> To: oss-security@...ts.openwall.com Cc: foreman-security@...glegroups.com Subject: CVE-2017-2667: Hammer CLI SSL certificate verification disabled CVE-2017-2667: SSL/HTTPS server certificates are not verified by default in Hammer CLI Hammer CLI, a REST API-based CLI for Foreman, initiated HTTPS connections via the apipie-bindings and rest-client libraries without verifying the SSL certificate presented by the server. This could allow for man-in-the-middle attack. This issue was reported by Tomas Strachota. Affects all known Hammer CLI versions Fix released in Hammer CLI 0.10.0 Patch: https://github.com/theforeman/hammer-cli/commit/74b926ae24f47f1d93b778e06b64935e57b60e33 More information: https://theforeman.org/security.html#2017-2667 http://projects.theforeman.org/issues/19033 https://theforeman.org -- Dominic Cleal dominic@...al.org Download attachment "signature.asc" of type "application/pgp-signature" (210 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.