Bug 951594 (CVE-2013-2191)
Summary: | CVE-2013-2191 python-bugzilla: Does not verify Bugzilla server certificate | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Florian Weimer <fweimer> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bkabrda, crobinso, dmalcolm, dzickus, jlieskov, jrusnack, notting, security-response-team, thoger, wwoods |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-07-10 05:36:52 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 975961, 975962 | ||
Bug Blocks: | 951587, 958831 |
Description
Florian Weimer
2013-04-12 14:21:57 UTC
It was found that python-bugzilla, a Python library for interacting with Bugzilla instances over XML-RPC functionality, did not perform X.509 certificate verification when using secured SSL connection. A man-in-the-middle (MiTM) attacker could use this flaw to spoof Bugzilla server via an arbitrary certificate. This issue was discovered by Florian Weimer of the Red Hat Product Security Team. The CVE identifier of CVE-2013-2191 has been assigned to this issue. This issue affects the versions of the python-bugzilla package, as shipped with Fedora release of 17 and 18. This issue affects the versions of the python-bugzilla package, as shipped with Fedora EPEL-5 and Fedora EPEL-6. Upstream patch: https://git.fedorahosted.org/cgit/python-bugzilla.git/commit/?id=a782282ee479ba4cc1b8b1d89700ac630ba83eef Created python-bugzilla tracking bugs for this issue Affects: fedora-all [bug 975961] Affects: epel-all [bug 975962] python-bugzilla-0.9.0-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. python-bugzilla-0.9.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. python-bugzilla-0.9.0-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. python-bugzilla-0.9.0-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |