[Openstack-security] [Bug 1188189] Fix merged to cinder (master)

OpenStack Infra 1188189 at bugs.launchpad.net
Wed Mar 21 16:40:37 UTC 2018 

Reviewed:  https://review.openstack.org/538237
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=431b4284bf12dfd8f97af95a9b96356105e08404
Submitter: Zuul
Branch:    master

commit 431b4284bf12dfd8f97af95a9b96356105e08404
Author: Ibadulla Khan <ik.ibadkhan at gmail.com>
Date:   Fri Jan 26 19:08:35 2018 +0530

    QNAP Drivers - Move from httplib to requests
    
    Use driver_ssl_cert_verify under backend section to
    enable or disable SSL verfication.
    
    NOTE: IPv6 isn't supported by QNAP driver.
    
    Change-Id: Iba886fd0bd401052a444eb7a4427607e693d7c81
    Closes-Bug: 1658766
    Partial-Bug: 1188189

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1188189

Title:
  Some server-side 'SSL' communication fails to check certificates (use
  of HTTPSConnection)

Status in Cinder:
  In Progress
Status in OpenStack Identity (keystone):
  Fix Released
Status in neutron:
  Fix Released
Status in oslo.vmware:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released
Status in python-keystoneclient:
  Fix Released
Status in OpenStack Object Storage (swift):
  Invalid

Bug description:
  Grant Murphy from Red Hat reported usage of httplib.HTTPSConnection
  objects. In Python 2.x those do not perform CA checks so client
  connections are vulnerable to MiM attacks.

  """
  The following files use httplib.HTTPSConnection :
  keystone/middleware/s3_token.py
  keystone/middleware/ec2_token.py
  keystone/common/bufferedhttp.py
  vendor/python-keystoneclient-master/keystoneclient/middleware/auth_token.py

  AFAICT HTTPSConnection does not validate server certificates and
  should be avoided. This is fixed in Python 3, however in 2.X no
  validation occurs. I suspect this is also applicable to most OpenStack
  modules that make HTTPS client calls.

  Similar problems were found in ovirt:
  https://bugzilla.redhat.com/show_bug.cgi?id=851672 (CVE-2012-3533)

  With solutions for ovirt:
  http://gerrit.ovirt.org/#/c/7209/
  http://gerrit.ovirt.org/#/c/7249/
  """

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1188189/+subscriptions

More information about the Openstack-security mailing list