oss-sec mailing list archives
[OSSA 2013-018] Missing SSL certificate check in Python glance client (CVE-2013-4111)
From: Thierry Carrez <thierry () openstack org>
Date: Tue, 30 Jul 2013 16:17:41 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-018 CVE: CVE-2013-4111 Date: July 30, 2013 Title: Missing SSL certificate check in Python glance client Reporter: Thomas Leaman (HP) Products: python-glanceclient Affects: All versions Description: Thomas Leaman from HP reported that the Python Glance client was failing to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in the-middle attack and access the contents of the Glance client request (or response). python-glanceclient fix (will be included in a future release): https://review.openstack.org/#/c/33464/ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4111 https://bugs.launchpad.net/python-glanceclient/+bug/1192229 Regards, - -- Thierry Carrez OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJR98sFAAoJEFB6+JAlsQQj0DcP/0qpdfzkReydoNU+OcR4HzJp mO/jlyiieX9PRjkgDRaOrqA8pyA2QAwb9JUGNXWA7MRBsWQRlWTgkT38bMU///YK vq1Q1UWIupPyOaMGZRW4Vmc1DN0vEtfmqwImj3tWWAdXwO/AaIo76HoAFLjOHV0/ dg8bsXm7fAS8UHFqFpLVNpgLFqm7TIFeG2sV/efQQkTZxy2txiqV/LFf7EFFF8NL aPPrgrORGbopj1HMV4PcZ2DHniHyYviMUDnXpUhtCw+T6G/RINi6CsaBdzmoyr09 d+XHV717FLPS1eR4gJmdOiLTwf9SIr/4ElAeUba+3CbPaYmDN5Lc3MFXtnXkGxXl +qaZLE4VLAs6eTVTHFzCFXjKsiTXEVWJ/sFBWtUWnaM/ulunR7COPgrfi2R4zU/R mkd0nFwHINPqDH4UPzgOw36cHBLPuKU5FNvXwk7e1yUm7aeV3cCr5to9b19WdX/Z xn31G6ZyhVD+Mnb6qbgpC9bzH/qE+/I6MFI7EOWHZbszxxDdWfz6KJZEt+/razoJ ljlPEP6cGeuWTj0ZHaTGhzbI4lTjTdgK8G7Rfn08X+SkuwbJL1+39YSudqS0rwbW Sawx+H+tBd2NVf2ES0xwzuVElfl3QD6P0HW1vR4FtnxCSxKPppiJ3yrJofJNv9ub tIRMIhF5d0T5V/zkQk0z =YsWI -----END PGP SIGNATURE-----
Current thread:
- [OSSA 2013-018] Missing SSL certificate check in Python glance client (CVE-2013-4111) Thierry Carrez (Jul 30)