The OpenStack project reports: "" Title: TLS cert verification option not honoured in paste configs Reporter: Qin Zhao (IBM) Products: keystonemiddleware, python-keystoneclient Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.10.1 (python-keystoneclient) Description: Qin Zhao from IBM reported a vulnerability in keystonemiddleware (formerly shipped as python-keystoneclient). When the 'insecure' SSL option is set in a paste configuration file it is effectively ignored, regardless of its value. As a result certificate verification will be disabled, leaving TLS connections open to MITM attacks. All versions of keystonemiddleware with TLS settings configured via a paste.ini file are affected by this flaw. "" Upstream fix: https://review.openstack.org/#/c/112232/ References: http://launchpad.net/bugs/1353315 http://www.openwall.com/lists/oss-security/2014/09/17/3
Created python-keystoneclient tracking bugs for this issue: Affects: fedora-all [bug 1143809]
MITRE assigned CVE-2014-7144 to this issue: http://seclists.org/oss-sec/2014/q3/628
OpenStack's advisory: http://seclists.org/oss-sec/2014/q3/731
This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2014:1784 https://rhn.redhat.com/errata/RHSA-2014-1784.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 Via RHSA-2014:1783 https://rhn.redhat.com/errata/RHSA-2014-1783.html
This issue has been addressed in the following products: OpenStack 4 for RHEL 6 Via RHSA-2015:0020 https://rhn.redhat.com/errata/RHSA-2015-0020.html