oss-sec mailing list archives

[OSSA 2014-005] Missing SSL certificate check in Python Swift client (CVE-2013-6396)

From: Tristan Cacqueray <tristan.cacqueray () enovance com>
Date: Mon, 17 Feb 2014 15:52:40 +0100

OpenStack Security Advisory: 2014-005
CVE: CVE-2013-6396
Date: February 17, 2014
Title: Missing SSL certificate check in Python Swift client
Reporter: Thomas Leaman (HP)
Products: python-swiftclient
Versions: 1.0 version up to 1.9.0

Description:
Thomas Leaman from HP reported that the Python Swift client was failing
to properly check certificates during the establishment of HTTPS
connections. A remote attacker with access over segments of the network
between client and server could potentially set up a man-in-the-middle
attack and access the contents of the Swift client's communication with
the server, including any used credentials.

python-swiftclient fix (included in 2.0 release):
https://review.openstack.org/#/c/69187

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6396
https://bugs.launchpad.net/bugs/1199783

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

[OSSA 2014-005] Missing SSL certificate check in Python Swift client (CVE-2013-6396) Tristan Cacqueray (Feb 17)