[OSSA 2013-018] Missing SSL certificate check in Python glance client (CVE-2013-4111)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
OpenStack Security Advisory: 2013-018 CVE: CVE-2013-4111 Date: July 30, 2013 Title: Missing SSL certificate check in Python glance client Reporter: Thomas Leaman (HP) Products: python-glanceclient Affects: All versions
Description: Thomas Leaman from HP reported that the Python Glance client was failing to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in the-middle attack and access the contents of the Glance client request (or response).
python-glanceclient fix (will be included in a future release): https://review.openstack.org/#/c/33464/
References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4111 https://bugs.launchpad.net/python-glanceclient/+bug/1192229
Regards,
- -- Thierry Carrez OpenStack Vulnerability Management Team
participants (1)
-
Thierry Carrez