oss-sec mailing list archives
Re: oVirt 3.1 does not validate server certificates in python sdk and cli (CVE-2012-3533)
From: Michael Pasternak <mpastern () redhat com>
Date: Sun, 26 Aug 2012 10:14:15 +0300
Hi Vincent, Fix for the mentioned issue available in: sdk: 3.1.0.6 cli: 3.1.0.8
Hi folks. This is a heads-up for anyone who may be shipping oVirt. oVirt 3.1 added a new python SDK and CLI which do various fancy things. It supports connecting to servers over SSL, but did not have support for validating certificates, which could lead to a mitm attack. I've assigned CVE-2012-3533 to this issue. It is corrected in git already. References: http://wiki.ovirt.org/wiki/Release_Notes#Interfaces http://gerrit.ovirt.org/#/c/7209/ http://gerrit.ovirt.org/#/c/7249/ https://bugzilla.redhat.com/show_bug.cgi?id=851672 -- Vincent Danen / Red Hat Security Response Team
-- Michael Pasternak RedHat, ENG-Virtualization R&D
Current thread:
- oVirt 3.1 does not validate server certificates in python sdk and cli (CVE-2012-3533) Vincent Danen (Aug 24)
- <Possible follow-ups>
- Re: oVirt 3.1 does not validate server certificates in python sdk and cli (CVE-2012-3533) Michael Pasternak (Aug 26)