[Openstack-security] [Bug 1436082] Re: VMWare and HTTP stores do not verify HTTPS Connections as they use httplib.HTTPSConnection

Jeremy Stanley fungi at yuggoth.org
Fri Mar 27 23:03:12 UTC 2015 

** Information type changed from Public Security to Public

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1436082

Title:
  VMWare and HTTP stores do not verify HTTPS Connections as they use
  httplib.HTTPSConnection

Status in OpenStack Glance backend store-drivers library (glance_store):
  In Progress

Bug description:
  VMWare store:
  https://github.com/openstack/glance_store/blob/ea88e503b617a7ac9a0ae7e537d6517e9992a104/glance_store/_drivers/vmware_datastore.py#L501
  (_get_conn_class above uses simply httplib.HTTPSConnection).

  HTTP Store:
  https://github.com/openstack/glance_store/blob/master/glance_store/_drivers/http.py#L179

  This leaves both stores open to man-in-the-middle attacks while
  transferring image data.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance-store/+bug/1436082/+subscriptions

More information about the Openstack-security mailing list