[Openstack-security] [Bug 1188189] Fix merged to neutron (master)

OpenStack Infra 1188189 at bugs.launchpad.net
Thu Apr 3 22:33:38 UTC 2014 

Reviewed:  https://review.openstack.org/77414
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=264b4a2523c165640f17aa4837f87ddfd0b49640
Submitter: Jenkins
Branch:    master

commit 264b4a2523c165640f17aa4837f87ddfd0b49640
Author: Daniel Gollub <d.gollub at telekom.de>
Date:   Sun Mar 2 09:33:38 2014 +0100

    Replace HTTPSConnection in NEC plugin
    
    Replace HTTPSConnection in NEC plugin PFC driver with Requests.
    
    SSL Verification is from now on enabled by default.
    
    This changes the default behaviour and is the primary intention of this
    change: verify SSL certificates.
    
    This might break existing configuration/setups where the SSL certificate
    used by the NEC PFC driver would not pass the verification.
    
    SecurityImpact
    DocImpact
    Partial-Bug: 1188189
    
    Change-Id: I1e5fdc9c2ed5b812aa6509d1639bd499acc5c337

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1188189

Title:
  Some server-side 'SSL' communication fails to check certificates (use
  of HTTPSConnection)

Status in Cinder:
  In Progress
Status in OpenStack Identity (Keystone):
  Fix Released
Status in OpenStack Neutron (virtual network service):
  In Progress
Status in OpenStack Compute (Nova):
  Confirmed
Status in OpenStack Security Advisories:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released
Status in Python client library for Keystone:
  Fix Released
Status in OpenStack Object Storage (Swift):
  Invalid

Bug description:
  Grant Murphy from Red Hat reported usage of httplib.HTTPSConnection
  objects. In Python 2.x those do not perform CA checks so client
  connections are vulnerable to MiM attacks.

  """
  The following files use httplib.HTTPSConnection :
  keystone/middleware/s3_token.py
  keystone/middleware/ec2_token.py
  keystone/common/bufferedhttp.py
  vendor/python-keystoneclient-master/keystoneclient/middleware/auth_token.py

  AFAICT HTTPSConnection does not validate server certificates and
  should be avoided. This is fixed in Python 3, however in 2.X no
  validation occurs. I suspect this is also applicable to most OpenStack
  modules that make HTTPS client calls.

  Similar problems were found in ovirt:
  https://bugzilla.redhat.com/show_bug.cgi?id=851672 (CVE-2012-3533)

  With solutions for ovirt:
  http://gerrit.ovirt.org/#/c/7209/
  http://gerrit.ovirt.org/#/c/7249/
  """

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1188189/+subscriptions

More information about the Openstack-security mailing list