[Openstack] [OSSA 2014-005] Missing SSL certificate check in Python Swift client (CVE-2013-6396)
Matthew Thode
prometheanfire at gentoo.org
Mon Mar 3 21:15:32 UTC 2014
On 03/03/2014 02:23 PM, Sean Dague wrote:
> On 03/03/2014 12:56 PM, Tristan Cacqueray wrote:
>> On 02/28/2014 07:52 PM, david.comay at oracle.com wrote:
>>>> OpenStack Security Advisory: 2014-005
>>>> CVE: CVE-2013-6396
>>>> Date: February 17, 2014
>>>> Title: Missing SSL certificate check in Python Swift client
>>>> Reporter: Thomas Leaman (HP)
>>>> Products: python-swiftclient
>>>> Versions: 1.0 version up to 1.9.0
>>>
>>>> python-swiftclient fix (included in 2.0 release):
>>>> https://review.openstack.org/#/c/69187
>>>
>>> I understand why the fix is specific to the 2.x branch
>>> (https://bugs.launchpad.net/python-swiftclient/+bug/1199783/comments/21)
>>> but does anyone know how compatible this version of python-swiftclient
>>> is with Grizzly? In particular, both Glance and Horizon from Grizzly
>>> strictly specify python-swiftclient>=1.2,<2 but I know in Havana and
>>> later the upper-bound was removed.
>>
>> Hi David,
>>
>> the bump to 2.x included some API changes (in method parameters and CLI
>> options), and "may" works for grizzly.
>>
>> For the record, I just tested 2.x branch against grizzly, and basics
>> commands worked as expected (list, upload, download).
>>
>> Best regards,
>> Tristan
>
> 2.x isn't grizzly compatible, we ran into substantial issues with the
> swift cli which made us dump a bunch of the swift tests in the gate to
> stop blocking stable/havana code from moving forward.
>
> -Sean
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
are you relying on us (packagers) to change the version requirements to
<= 2.0 instead of < 2.0? I would like to get this fixed for grizzly in
Gentoo as well.
--
-- Matthew Thode (prometheanfire)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140303/84df2c4a/attachment.sig>
More information about the Openstack
mailing list