[Openstack-security] [Bug 1188189] Fix merged to python-keystoneclient (master)

OpenStack Infra 1188189 at bugs.launchpad.net
Fri Sep 13 05:11:05 UTC 2013 

Reviewed:  https://review.openstack.org/34161
Committed: http://github.com/openstack/python-keystoneclient/commit/20e166fd8a943ee3f91ba362a47e9c14c7cc5f4c
Submitter: Jenkins
Branch:    master

commit 20e166fd8a943ee3f91ba362a47e9c14c7cc5f4c
Author: Jamie Lennox <jlennox at redhat.com>
Date:   Mon Aug 12 13:12:27 2013 +1000

    Replace HttpConnection in auth_token with Requests
    
    Requests is becoming the standard way of doing http communication, it
    also vastly simplifies adding other authentication mechanisms. Use it in
    the auth_token middleware.
    
    This adds the ability to specify a CA file that will be used to verify a
    HTTPS connections or insecure to specifically ignore HTTPS validation.
    
    SecurityImpact
    DocImpact
    Partial-Bug: #1188189
    Change-Id: Iae94329e7abd105bf95224d28f39f4b746b9eb70

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1188189

Title:
  Some server-side 'SSL' communication fails to check certificates (use
  of HTTPSConnection)

Status in Cinder:
  Confirmed
Status in OpenStack Identity (Keystone):
  Confirmed
Status in OpenStack Neutron (virtual network service):
  Confirmed
Status in OpenStack Compute (Nova):
  Confirmed
Status in OpenStack Security Advisories:
  Won't Fix
Status in OpenStack Security Notes:
  In Progress
Status in Python client library for Keystone:
  In Progress
Status in OpenStack Object Storage (Swift):
  Invalid

Bug description:
  Grant Murphy from Red Hat reported usage of httplib.HTTPSConnection
  objects. In Python 2.x those do not perform CA checks so client
  connections are vulnerable to MiM attacks.

  """
  The following files use httplib.HTTPSConnection :
  keystone/middleware/s3_token.py
  keystone/middleware/ec2_token.py
  keystone/common/bufferedhttp.py
  vendor/python-keystoneclient-master/keystoneclient/middleware/auth_token.py

  AFAICT HTTPSConnection does not validate server certificates and
  should be avoided. This is fixed in Python 3, however in 2.X no
  validation occurs. I suspect this is also applicable to most OpenStack
  modules that make HTTPS client calls.

  Similar problems were found in ovirt:
  https://bugzilla.redhat.com/show_bug.cgi?id=851672 (CVE-2012-3533)

  With solutions for ovirt:
  http://gerrit.ovirt.org/#/c/7209/
  http://gerrit.ovirt.org/#/c/7249/
  """

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1188189/+subscriptions

More information about the Openstack-security mailing list