[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [CVE identifier assignment notification] CVE-2013-2191 python-bugzilla: Does not veri
From: Jan Lieskovsky <jlieskov () redhat ! com>
Date: 2013-06-19 16:58:40
Message-ID: 819346344.21944230.1371661120661.JavaMail.root () redhat ! com
[Download RAW message or body]
Hello Kurt, Steve, vendors,
It was found that python-bugzilla, a Python library for interacting with Bugzilla
instances over XML-RPC functionality, did not perform X.509 certificate verification
when using secured SSL connection. A man-in-the-middle (MiTM) attacker could use this
flaw to spoof Bugzilla server via an arbitrary certificate.
Credit: This issue was discovered by Florian Weimer of the Red Hat Product Security Team.
CVE id: CVE-2013-2191 has been assigned to this issue
Relevant upstream patch:
https://git.fedorahosted.org/cgit/python-bugzilla.git/commit/?id=a782282ee479ba4cc1b8b1d89700ac630ba83eef
References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2191
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic