[Openstack-security] Python SSL vulnerability
Kurt Seifried
kseifried at redhat.com
Fri Oct 4 16:00:31 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/04/2013 08:07 AM, Clark, Robert Graham wrote:
> Hi Guys,
>
> Worth flagging this here in case anyone missed it, I thought we
> were past the NULL Cname issues in SSL libraries, I guess not:
>
> http://www.ubuntu.com/usn/usn-1983-1/
>
> -Rob
To put it bluntly, almost everything that handles SSL does it wrong in
some way. Some have been mostly fixed, but I suspect there are new
classes of attacks. SSL is bad for failure scenarios too, you have to
intentionally mangle things quite badly (certificates/etc.) and things
may just keep working, but in an insecure manner that is non obvious.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQIcBAEBAgAGBQJSTuYfAAoJEBYNRVNeJnmTe2IQAIiacgFfYeCCtpAAARMia7RS
F0vxKo504Bf2zIZJHsp2rBp6Ow2NqOIZ5niJ3S/1OKWX8IHjnRbbBXbc2ZS6DQcK
amTZQWklNudTdmANSEKHKp+E7fJuTdyMbQyolQ2Xkup/GWC65DnefnfO1Gh6g+Ou
rpmbJNeorZfz7yeCci+TFLBYSwYF8hr7RH5y74n3R6X7ZQBvLU7CmGeCtuwHwDO5
X4pjn1MxLJ9Aybfkn7GbSfP3ipU1aAk+WnVDUABQxSb6qrAgmSQtIciRcceWH0VM
cvd5tYrclWgoa7roFHc9Ryiz3H6rU7LKNZqTPUGUxwBwc1cNPpw2nQtri7LLTe9O
t2sM91RvKIcQJSKAQ/dgYG2krodT7fKOa1Tt+WNlkttZOKtQcl7fkO7Z66eDBQQU
jc1hPXYvcrV6pyOawOH24o8J8MpwP5PG/dJ5YiagUuNrztbc5fVksCncwGG2KEYs
8eHUM/6U2tvNQcAAmqn+rU66uprPD3Y//EVoldLazZ8ymBQkt4nmlAFpm76gyudq
//Q6rrMFGPwRl5WuJjKVFRVlPPVAWgM5aMuBw1LGhecAVCZHepTFyOJOV0EOAYIs
lYJybqPw+wHZqMlVONzjuKpdna21wN+rISagdY0cfHfZvzZFUV5Gg+v1GkY/Z7Ez
bhoEjnZdbGaKSSl2vGrW
=vgbc
-----END PGP SIGNATURE-----
More information about the Openstack-security
mailing list