[PKG-Openstack-devel] Bug#762749: Bug#762749: [CVE-2014-7144] TLS cert verification option not honored in paste configs
Thomas Goirand
zigo at debian.org
Thu Sep 25 07:28:41 UTC 2014
On 09/25/2014 05:34 AM, Luciano Bello wrote:
> Package: python-keystoneclient
> Severity: important
> Tags: security upstream patch fixed-upstream
>
> Hi there,
> the following vulnerabilities were published for python-keystoneclient:
>
> CVE-2014-7144: TLS cert verification option not honored in paste configs
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
> http://seclists.org/oss-sec/2014/q3/620
> https://review.openstack.org/#/c/113191/
>
> Please adjust the affected versions in the BTS as needed. Can you please confirm
> to the security-team if the stable version is affected?
>
> Regards, luciano
Hi Luciano,
You've send twice the same bug report, using the same CVE, but for both
keystonemiddleware and keystoneclient. Is this intentional?
CVE-2014-7144 is about keystonemiddleware. Stable isn't affected (it
doesn't contain keystonemiddleware). Though if there's another CVE which
I'm not (yet) aware of on keystoneclient, then this would have to be
checked.
Cheers,
Thomas Goirand (zigo)
More information about the Openstack-devel
mailing list