Bug 989738 - (CVE-2013-4111) CVE-2013-4111 OpenStack: python-glanceclient failing SSL certificate check
CVE-2013-4111 OpenStack: python-glanceclient failing SSL certificate check
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130729,repor...
: Security
Depends On: 994838 994839 994840 994841 994842
Blocks: 989759
  Show dependency treegraph
 
Reported: 2013-07-29 15:52 EDT by Kurt Seifried
Modified: 2016-04-26 15:12 EDT (History)
22 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-11-06 00:42:28 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-07-29 15:52:24 EDT
Thierry Carrez (thierry@openstack.org) reports:

A vulnerability was fixed publicly in OpenStack Python Glance client
recently, and we think it warrants a security advisory to make sure
everyone is aware of it.

We obviously can't embargo anything here since the issue is public
already, but we figured you would still appreciate a day heads-up
before we publish the advisory and attract the rest of the world
attention on the issue.

Title: Missing SSL certificate check in Python glance client
Reporter: Thomas Leaman (HP)
Products: python-glanceclient
Affects: All versions

Description:
Thomas Leaman from HP reported that the Python Glance client was
failing to properly check certificates during the establishment of
HTTPS connections. A remote attacker with access over segments of the
network between client and server could potentially set up a man-in
the-middle attack and access the contents of the Glance client request
(or response).

python-glanceclient fix (will be included in future release):
https://review.openstack.org/#/c/33464/ 

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4111 
https://bugs.launchpad.net/python-glanceclient/+bug/1192229
Comment 2 Kurt Seifried 2013-07-31 04:06:02 EDT
This is officially public now: http://openwall.com/lists/oss-security/2013/07/30/11
Comment 3 Murray McAllister 2013-09-03 03:37:56 EDT
Acknowledgements:

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Thomas Leaman of HP as the original reporter.
Comment 4 errata-xmlrpc 2013-09-03 16:18:29 EDT
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:1200 https://rhn.redhat.com/errata/RHSA-2013-1200.html
Comment 5 Fedora Update System 2013-11-13 22:34:00 EST
python-glanceclient-0.9.0-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.