Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <819346344.21944230.1371661120661.JavaMail.root@redhat.com>
Date: Wed, 19 Jun 2013 12:58:40 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Cole Robinson <crobinso@...hat.com>,
        Florian Weimer <fweimer@...hat.com>
Subject: [CVE identifier assignment notification] CVE-2013-2191
 python-bugzilla: Does not verify Bugzilla server certificate

Hello Kurt, Steve, vendors,

  It was found that python-bugzilla, a Python library for interacting with Bugzilla
instances over XML-RPC functionality, did not perform X.509 certificate verification
when using secured SSL connection. A man-in-the-middle (MiTM) attacker could use this
flaw to spoof Bugzilla server via an arbitrary certificate.

Credit: This issue was discovered by Florian Weimer of the Red Hat Product Security Team.

CVE id: CVE-2013-2191 has been assigned to this issue

Relevant upstream patch:
  https://git.fedorahosted.org/cgit/python-bugzilla.git/commit/?id=a782282ee479ba4cc1b8b1d89700ac630ba83eef

References:
  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2191

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.