[Openstack-security] [Bug 1436082] Re: VMWare and HTTP stores do not verify HTTPS Connections as they use httplib.HTTPSConnection

Robert Clark 1436082 at bugs.launchpad.net
Wed Sep 2 21:02:43 UTC 2015 

** Changed in: ossn
     Assignee: Ian Cordasco (icordasc) => (unassigned)

** Changed in: ossn
     Assignee: (unassigned) => Grant Murphy (gmurphy)

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1436082

Title:
  VMWare and HTTP stores do not verify HTTPS Connections as they use
  httplib.HTTPSConnection

Status in glance_store:
  In Progress
Status in OpenStack Security Notes:
  In Progress

Bug description:
  VMWare store:
  https://github.com/openstack/glance_store/blob/ea88e503b617a7ac9a0ae7e537d6517e9992a104/glance_store/_drivers/vmware_datastore.py#L501
  (_get_conn_class above uses simply httplib.HTTPSConnection).

  HTTP Store:
  https://github.com/openstack/glance_store/blob/master/glance_store/_drivers/http.py#L179

  This leaves both stores open to man-in-the-middle attacks while
  transferring image data.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance-store/+bug/1436082/+subscriptions

More information about the Openstack-security mailing list