-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-018 CVE: CVE-2013-4111 Date: July 30, 2013 Title: Missing SSL certificate check in Python glance client Reporter: Thomas Leaman (HP) Products: python-glanceclient Affects: All versions Description: Thomas Leaman from HP reported that the Python Glance client was failing to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in the-middle attack and access the contents of the Glance client request (or response). python-glanceclient fix (will be included in a future release): https://review.openstack.org/#/c/33464/ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4111 https://bugs.launchpad.net/python-glanceclient/+bug/1192229 Regards, - -- Thierry Carrez OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJR98rhAAoJEFB6+JAlsQQjm30P/3zp1YGzDb30pSOcfKz683VR KGYEoRUx3wPLMCC5Vzl4y63xwrl7nrarKNj6VeyU/JUzBVhlIa/MHgIkrBzNDPkj 9yewE6ITihnbRfYIp/u+QnXkX0IgNsfeLPL5DW6qgV4aKRVZQdz0TcTjbQrhDQiV iEVEEq1lZVMwP5Oah38YVxWg5EmL+9vmMqfkcXpWsMa1I2yWcw0YN5m4QqHw5BcD GGeagHDZIQ+nxzpWd67E/OV946uHrhshCRZq+o3lZoGSv1C33bpkcDoruskDYvUm gKtwD63/ifHmXnti8TVNaX9D80C2NdSPzAUFNa/Akht5b/VIzuhqvUDECernDckx UBOYjXsTFVfFkqFYLE+Xderm6iTAX4mC8yCdIEONLRVdZGNMWk4WVPjJ4vhpUUNA uTaFq+csTbwH/DttbxlniiEbJAhoTPAHDKmwzwStTBVIc6mbxeF72vx9GBV6Hx9x 7qA+Hn5otlSWt8WbqU6K14ypFQRwjtswfY38ZZ9YkAQFFnI/dEUWp5P/Ld8JaiiQ RQU6h/m3crdaeoATK020TK2QZBjUAVgLARFNAL2UT3IwfmZixJAsuWn5QfGPHojI PYjdutW1VlBhL8ak8oN/Q2pzkho/ufR9czSMGN35X3U/7db87OrG/0gz8Rp5FZVH diSr4/bWdzDrbfkY/sCI =v33d -----END PGP SIGNATURE-----