Red Hat Bugzilla – Bug 989738
CVE-2013-4111 OpenStack: python-glanceclient failing SSL certificate check
Last modified: 2016-04-26 15:12:28 EDT
Thierry Carrez (firstname.lastname@example.org) reports:
A vulnerability was fixed publicly in OpenStack Python Glance client
recently, and we think it warrants a security advisory to make sure
everyone is aware of it.
We obviously can't embargo anything here since the issue is public
already, but we figured you would still appreciate a day heads-up
before we publish the advisory and attract the rest of the world
attention on the issue.
Title: Missing SSL certificate check in Python glance client
Reporter: Thomas Leaman (HP)
Affects: All versions
Thomas Leaman from HP reported that the Python Glance client was
failing to properly check certificates during the establishment of
HTTPS connections. A remote attacker with access over segments of the
network between client and server could potentially set up a man-in
the-middle attack and access the contents of the Glance client request
python-glanceclient fix (will be included in future release):
This is officially public now: http://openwall.com/lists/oss-security/2013/07/30/11
Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Thomas Leaman of HP as the original reporter.
This issue has been addressed in following products:
OpenStack 3 for RHEL 6
Via RHSA-2013:1200 https://rhn.redhat.com/errata/RHSA-2013-1200.html
python-glanceclient-0.9.0-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.