[openstack-announce] [OSSA 2013-018] Missing SSL certificate check in Python glance client (CVE-2013-4111)

Thierry Carrez thierry at openstack.org
Tue Jul 30 14:17:05 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-018
CVE: CVE-2013-4111
Date: July 30, 2013
Title: Missing SSL certificate check in Python glance client
Reporter: Thomas Leaman (HP)
Products: python-glanceclient
Affects: All versions

Description:
Thomas Leaman from HP reported that the Python Glance client was
failing to properly check certificates during the establishment of
HTTPS connections. A remote attacker with access over segments of the
network between client and server could potentially set up a man-in
the-middle attack and access the contents of the Glance client request
(or response).

python-glanceclient fix (will be included in a future release):
https://review.openstack.org/#/c/33464/

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4111
https://bugs.launchpad.net/python-glanceclient/+bug/1192229

Regards,

- -- 
Thierry Carrez
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJR98rhAAoJEFB6+JAlsQQjm30P/3zp1YGzDb30pSOcfKz683VR
KGYEoRUx3wPLMCC5Vzl4y63xwrl7nrarKNj6VeyU/JUzBVhlIa/MHgIkrBzNDPkj
9yewE6ITihnbRfYIp/u+QnXkX0IgNsfeLPL5DW6qgV4aKRVZQdz0TcTjbQrhDQiV
iEVEEq1lZVMwP5Oah38YVxWg5EmL+9vmMqfkcXpWsMa1I2yWcw0YN5m4QqHw5BcD
GGeagHDZIQ+nxzpWd67E/OV946uHrhshCRZq+o3lZoGSv1C33bpkcDoruskDYvUm
gKtwD63/ifHmXnti8TVNaX9D80C2NdSPzAUFNa/Akht5b/VIzuhqvUDECernDckx
UBOYjXsTFVfFkqFYLE+Xderm6iTAX4mC8yCdIEONLRVdZGNMWk4WVPjJ4vhpUUNA
uTaFq+csTbwH/DttbxlniiEbJAhoTPAHDKmwzwStTBVIc6mbxeF72vx9GBV6Hx9x
7qA+Hn5otlSWt8WbqU6K14ypFQRwjtswfY38ZZ9YkAQFFnI/dEUWp5P/Ld8JaiiQ
RQU6h/m3crdaeoATK020TK2QZBjUAVgLARFNAL2UT3IwfmZixJAsuWn5QfGPHojI
PYjdutW1VlBhL8ak8oN/Q2pzkho/ufR9czSMGN35X3U/7db87OrG/0gz8Rp5FZVH
diSr4/bWdzDrbfkY/sCI
=v33d
-----END PGP SIGNATURE-----



More information about the OpenStack-announce mailing list