[Openstack-devel] Bug#718282: CVE-2013-4111: Missing SSL certificate check in Python glance client
Thomas Goirand
zigo at debian.org
Mon Jul 29 16:16:16 UTC 2013
Package: python-glanceclient
Version: 1:0.9.0-1
Severity: grave
Tags: patch
Copying the email from the security team of OpenStack.
Thomas Goirand (zigo)
A vulnerability was fixed publicly in OpenStack Python Glance client
recently, and we think it warrants a security advisory to make sure
everyone is aware of it.
We obviously can't embargo anything here since the issue is public
already, but we figured you would still appreciate a day heads-up
before we publish the advisory and attract the rest of the world
attention on the issue.
Title: Missing SSL certificate check in Python glance client
Reporter: Thomas Leaman (HP)
Products: python-glanceclient
Affects: All versions
Description:
Thomas Leaman from HP reported that the Python Glance client was
failing to properly check certificates during the establishment of
HTTPS connections. A remote attacker with access over segments of the
network between client and server could potentially set up a man-in
the-middle attack and access the contents of the Glance client request
(or response).
python-glanceclient fix (will be included in future release):
https://review.openstack.org/#/c/33464/
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4111
https://bugs.launchpad.net/python-glanceclient/+bug/1192229
Regards,
- --
Thierry Carrez
More information about the Openstack-devel
mailing list