oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2014-3691, foreman-proxy: failure to verify SSL certificates

From: Murray McAllister <mmcallis () redhat com>
Date: Thu, 09 Oct 2014 17:31:52 +1100
It was discovered that Foreman Smart Proxy failed to verify SSL certificates. As noted in the upstream bug, "This permits any client with access to the API to make requests and perform actions (permitting control of Puppet CA, DHCP, DNS etc.)". (CVE-2014-3691) 

A mitigation is available from the following:

https://groups.google.com/forum/#!topic/foreman-announce/jXC5ixybjqo

References:

http://projects.theforeman.org/issues/7822
https://bugzilla.redhat.com/show_bug.cgi?id=1150879

Cheers,

--
Murray McAllister / Red Hat Product Security
Previous By Date Next
Previous By Thread Next

Current thread: