[Openstack-security] [Bug 1372643] Re: MITM vulnerability with XIV driver
Jeremy Stanley
fungi at yuggoth.org
Mon Oct 6 15:51:53 UTC 2014
Granted the position is worth revisiting. Are we to the point where
we're ready as a project to declare victory on bug 1188189 now and
consider anything else which doesn't encrypt internal communications or
fails to validate server certificates (for SSL sockets, SSH, et cetera)
a surprise to the community and worth individual security advisories and
mandatory stable backports going forward?
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1372643
Title:
MITM vulnerability with XIV driver
Status in Cinder:
New
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
The XIV driver in Juno appears to blindly trust whatever certificate
it gets back from the device without any validation. This would leave
it open to a MITM attack.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1372643/+subscriptions
More information about the Openstack-security
mailing list