[Openstack-devel] Bug#718282: CVE-2013-4111: Missing SSL certificate check in Python glance client

Thomas Goirand zigo at debian.org
Mon Jul 29 16:16:16 UTC 2013

Package: python-glanceclient
Version: 1:0.9.0-1
Severity: grave
Tags: patch

Copying the email from the security team of OpenStack.

Thomas Goirand (zigo)

A vulnerability was fixed publicly in OpenStack Python Glance client
recently, and we think it warrants a security advisory to make sure
everyone is aware of it.

We obviously can't embargo anything here since the issue is public
already, but we figured you would still appreciate a day heads-up
before we publish the advisory and attract the rest of the world
attention on the issue.

Title: Missing SSL certificate check in Python glance client
Reporter: Thomas Leaman (HP)
Products: python-glanceclient
Affects: All versions

Thomas Leaman from HP reported that the Python Glance client was
failing to properly check certificates during the establishment of
HTTPS connections. A remote attacker with access over segments of the
network between client and server could potentially set up a man-in
the-middle attack and access the contents of the Glance client request
(or response).

python-glanceclient fix (will be included in future release):



- -- 
Thierry Carrez

More information about the Openstack-devel mailing list