Trevor McKay discovered that, due to movement of code to aviary/python/aviary/clients.py, an import error was introduced inside of an exception block that tests for suport of server certificate validation over HTTP. Because of this, server certificate validation is always disabled when connecting to Aviary servers, even if the installed packages on a system support it. If an administrator had setup cumin, expecting server certificate validation, they would not realize it had been disabled unless they examined the web.log file. This issue was introduced in the code refactoring in r5310. Cumin has been built for all supported versions of Fedora at r5522, which contains the fault. Current versions of Red Hat Enterprise MRG do not ship with the faulty code and are unaffected. Statement: Not vulnerable. This issue did not affect the versions of cumin as shipped with Red Hat Enterprise MRG 1 or 2. Acknowledgements: This issue was discovered by Trevor McKay of Red Hat.
Proposed patch: Index: sage/python/sage/aviary/clients.py =================================================================== --- sage/python/sage/aviary/clients.py (revision 5672) +++ sage/python/sage/aviary/clients.py (working copy) @@ -1,4 +1,6 @@ import os +import sage + from suds.client import Client from sage.util import ObjectPool from suds.transport.https import HttpAuthenticated @@ -7,10 +9,16 @@ try: from sage.https_full import HTTPSFullCertTransport has_full_cert = True - technology = sage.https_full.technology except: has_full_cert = False +technology = "unspecified" +if has_full_cert: + try: + technology = sage.https_full.technology + except: + pass + class TransportFactory(object): def __init__(self, key="", cert="", root_cert="", domain_verify=True): self.key = key @@ -31,7 +39,7 @@ else: log.info("%s: using client and server "\ "certificate validation for ssl connections, "\ - "solution is %s" % (where, clients.technology)) + "solution is %s" % (where, technology)) log.info("%s: verify server domain against "\ "certificate during validation (%s)" \
Created cumin tracking bugs for this issue Affects: fedora-all [bug 908505]
Patch has been committed on the cumin trunk, revision 5700