[Openstack-security] [Bug 1188189] Fix merged to cinder (master)

OpenStack Infra 1188189 at bugs.launchpad.net
Mon Mar 3 03:26:07 UTC 2014 

Reviewed:  https://review.openstack.org/75667
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=0f9652d92e175a1f7dc3c2a37ab444b8f189375a
Submitter: Jenkins
Branch:    master

commit 0f9652d92e175a1f7dc3c2a37ab444b8f189375a
Author: Daniel Gollub <d.gollub at telekom.de>
Date:   Sun Feb 23 09:30:00 2014 +0100

    Replace httplib.HTTPSConnection in unittests
    
    SSL Verification is from now on enabled by default for the
    TestOpenStackClient. So far no unittests was making actively use of
    httplib.HTTPSConnection.
    
    Intention is to reduce noise of audits/scanners which look for Python 2.x
    httplib.HTTPSConnection missing SSL verification. By completely abandoning the use
    of httplib.HTTPSConnection.
    
    Change-Id: Ic0352cf453d5c41f09084a6d68b3393b8ddda84a
    Partial-Bug: 1188189

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1188189

Title:
  Some server-side 'SSL' communication fails to check certificates (use
  of HTTPSConnection)

Status in Cinder:
  In Progress
Status in OpenStack Identity (Keystone):
  In Progress
Status in OpenStack Neutron (virtual network service):
  In Progress
Status in OpenStack Compute (Nova):
  Confirmed
Status in OpenStack Security Advisories:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released
Status in Python client library for Keystone:
  Fix Released
Status in OpenStack Object Storage (Swift):
  Invalid

Bug description:
  Grant Murphy from Red Hat reported usage of httplib.HTTPSConnection
  objects. In Python 2.x those do not perform CA checks so client
  connections are vulnerable to MiM attacks.

  """
  The following files use httplib.HTTPSConnection :
  keystone/middleware/s3_token.py
  keystone/middleware/ec2_token.py
  keystone/common/bufferedhttp.py
  vendor/python-keystoneclient-master/keystoneclient/middleware/auth_token.py

  AFAICT HTTPSConnection does not validate server certificates and
  should be avoided. This is fixed in Python 3, however in 2.X no
  validation occurs. I suspect this is also applicable to most OpenStack
  modules that make HTTPS client calls.

  Similar problems were found in ovirt:
  https://bugzilla.redhat.com/show_bug.cgi?id=851672 (CVE-2012-3533)

  With solutions for ovirt:
  http://gerrit.ovirt.org/#/c/7209/
  http://gerrit.ovirt.org/#/c/7249/
  """

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1188189/+subscriptions

More information about the Openstack-security mailing list