[openstack-dev] [openstack-announce] [OSSA 2013-018] Missing SSL certificate check in Python glance client (CVE-2013-4111)
Lloyd Dewolf
lloydostack at gmail.com
Thu Aug 8 20:06:31 UTC 2013
On Tue, Jul 30, 2013 at 7:17 AM, Thierry Carrez <thierry at openstack.org> wrote:
>
> OpenStack Security Advisory: 2013-018
> CVE: CVE-2013-4111
> Date: July 30, 2013
> Title: Missing SSL certificate check in Python glance client
> Reporter: Thomas Leaman (HP)
> Products: python-glanceclient
> Affects: All versions
>
> Description:
> Thomas Leaman from HP reported that the Python Glance client was
> failing to properly check certificates during the establishment of
> HTTPS connections. A remote attacker with access over segments of the
> network between client and server could potentially set up a man-in
> the-middle attack and access the contents of the Glance client request
> (or response).
>
> python-glanceclient fix (will be included in a future release):
> https://review.openstack.org/#/c/33464/
Is there a release with this fix at this time?
https://pypi.python.org/pypi/python-glanceclient/ lists the most
recent version 0.9.0 as uploaded 2013-04-03.
My understanding was that there was consensus around cutting releases
of clients on OSSA.
Thank you,
Lloyd
--
@lloyddewolf
More information about the OpenStack-dev
mailing list