OSSA-2014-005: Missing SSL certificate check in Python Swift client

OSSA-2014-005: Missing SSL certificate check in Python Swift client¶

Date:: February 17, 2014
CVE:: CVE-2013-6396

Affects¶

Python-swiftclient: 1.0 version up to 1.9.0

Description¶

Thomas Leaman from HP reported that the Python Swift client was failing to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in-the-middle attack and access the contents of the Swift client’s communication with the server, including any used credentials.

Patches¶

https://review.openstack.org/#/c/69187 (Python-swiftclient-2.0)

Credits¶

Thomas Leaman from HP (CVE-2013-6396)

References¶

https://launchpad.net/bugs/1199783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6396

this page last updated: 2024-10-03 16:29:15

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.