[openstack-announce] [OSSA 2014-005] Missing SSL certificate check in Python Swift client (CVE-2013-6396)

Tristan Cacqueray tristan.cacqueray at enovance.com
Mon Feb 17 14:56:43 UTC 2014


OpenStack Security Advisory: 2014-005
CVE: CVE-2013-6396
Date: February 17, 2014
Title: Missing SSL certificate check in Python Swift client
Reporter: Thomas Leaman (HP)
Products: python-swiftclient
Versions: 1.0 version up to 1.9.0

Description:
Thomas Leaman from HP reported that the Python Swift client was failing
to properly check certificates during the establishment of HTTPS
connections. A remote attacker with access over segments of the network
between client and server could potentially set up a man-in-the-middle
attack and access the contents of the Swift client's communication with
the server, including any used credentials.

python-swiftclient fix (included in 2.0 release):
https://review.openstack.org/#/c/69187

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6396
https://bugs.launchpad.net/bugs/1199783

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20140217/6633c9b6/attachment.pgp>


More information about the OpenStack-announce mailing list