Thierry Carrez (thierry) reports: A vulnerability was fixed publicly in OpenStack Python Glance client recently, and we think it warrants a security advisory to make sure everyone is aware of it. We obviously can't embargo anything here since the issue is public already, but we figured you would still appreciate a day heads-up before we publish the advisory and attract the rest of the world attention on the issue. Title: Missing SSL certificate check in Python glance client Reporter: Thomas Leaman (HP) Products: python-glanceclient Affects: All versions Description: Thomas Leaman from HP reported that the Python Glance client was failing to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in the-middle attack and access the contents of the Glance client request (or response). python-glanceclient fix (will be included in future release): https://review.openstack.org/#/c/33464/ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4111 https://bugs.launchpad.net/python-glanceclient/+bug/1192229
This is officially public now: http://openwall.com/lists/oss-security/2013/07/30/11
Acknowledgements: Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Thomas Leaman of HP as the original reporter.
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:1200 https://rhn.redhat.com/errata/RHSA-2013-1200.html
python-glanceclient-0.9.0-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.