[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [OSSA 2014-030] TLS cert verification option not honoured in paste configs (CVE-2014-
From: Grant Murphy <gmurphy () redhat ! com>
Date: 2014-09-25 22:30:45
Message-ID: 20140925223044.GB26480 () lappy ! bne ! redhat ! com
[Download RAW message or body]
OpenStack Security Advisory: 2014-030
CVE: CVE-2014-7144
Date: September 25, 2014
Title: TLS cert verification option not honoured in paste configs
Reporter: Qin Zhao (IBM)
Products: keystonemiddleware, python-keystoneclient
Versions: versions up to 1.1.1 (keystonemiddleware),
versions up to 0.10.1 (python-keystoneclient)
Description:
Qin Zhao from IBM reported a vulnerability in keystonemiddleware
(formerly shipped as python-keystoneclient). When the 'insecure' option
is set in a paste configuration file it is effectively ignored,
regardless of its value. As a result certificate verification will be
disabled, leaving TLS connections open to MITM attacks. All versions of
keystonemiddleware with TLS settings configured via a paste.ini file are
affected by this flaw.
keystonemiddleware fix:
https://review.openstack.org/113191
python-keystoneclient fix:
https://review.openstack.org/112232
Notes:
These fixes are included in the keystonemiddleware 1.2.0 release
and in the python-keystoneclient 0.11.0 release.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7144
https://launchpad.net/bugs/1353315
--
Grant Murphy
OpenStack Vulnerability Management Team
[Attachment #3 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic