Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20140925223044.GB26480@lappy.bne.redhat.com>
Date: Fri, 26 Sep 2014 08:30:45 +1000
From: Grant Murphy <gmurphy@...hat.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2014-030] TLS cert verification option not honoured in paste
 configs (CVE-2014-7144)

OpenStack Security Advisory: 2014-030
CVE: CVE-2014-7144
Date: September 25, 2014

Title: TLS cert verification option not honoured in paste configs
Reporter: Qin Zhao (IBM)
Products: keystonemiddleware, python-keystoneclient
Versions: versions up to 1.1.1 (keystonemiddleware),
          versions up to 0.10.1 (python-keystoneclient)

Description:
Qin Zhao from IBM reported a vulnerability in keystonemiddleware
(formerly shipped as python-keystoneclient). When the 'insecure' option
is set in a paste configuration file it is effectively ignored,
regardless of its value. As a result certificate verification will be
disabled, leaving TLS connections open to MITM attacks. All versions of
keystonemiddleware with TLS settings configured via a paste.ini file are
affected by this flaw.

keystonemiddleware fix:
https://review.openstack.org/113191

python-keystoneclient fix:
https://review.openstack.org/112232

Notes:
These fixes are included in the keystonemiddleware 1.2.0 release
and in the python-keystoneclient 0.11.0 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7144
https://launchpad.net/bugs/1353315

--
Grant Murphy
OpenStack Vulnerability Management Team

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.