[openstack-dev] [openstack-announce] [OSSA 2013-018] Missing SSL certificate check in Python glance client (CVE-2013-4111)

Lloyd Dewolf lloydostack at gmail.com
Thu Aug 8 20:06:31 UTC 2013


On Tue, Jul 30, 2013 at 7:17 AM, Thierry Carrez <thierry at openstack.org> wrote:
>
> OpenStack Security Advisory: 2013-018
> CVE: CVE-2013-4111
> Date: July 30, 2013
> Title: Missing SSL certificate check in Python glance client
> Reporter: Thomas Leaman (HP)
> Products: python-glanceclient
> Affects: All versions
>
> Description:
> Thomas Leaman from HP reported that the Python Glance client was
> failing to properly check certificates during the establishment of
> HTTPS connections. A remote attacker with access over segments of the
> network between client and server could potentially set up a man-in
> the-middle attack and access the contents of the Glance client request
> (or response).
>
> python-glanceclient fix (will be included in a future release):
> https://review.openstack.org/#/c/33464/

Is there a release with this fix at this time?

https://pypi.python.org/pypi/python-glanceclient/ lists the most
recent version 0.9.0 as uploaded 2013-04-03.

My understanding was that there was consensus around cutting releases
of clients on OSSA.

Thank you,
Lloyd

--
@lloyddewolf



More information about the OpenStack-dev mailing list