Summary: | <dev-python/python-keystoneclient-{1.0.0-r1,1.3.0-r2},<dev-python/keystonemiddleware-1.5.0: MITM TLS Verification (CVE-2015-1852) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthew Thode ( prometheanfire ) <prometheanfire> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | C3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Matthew Thode ( prometheanfire )
2015-04-14 23:05:57 UTC
to be clear, stabilize dev-python/python-keystoneclient-1.0.0-r1 Arches, please test and mark stable: =dev-python/python-keystoneclient-1.0.0-r1 Target Keywords : "amd64 x86" Thank you! bad versions removed 1.0.0-r1 and >=1.3.0-r2 have the fix Arches and Maintainer(s), Thank you for your work. GLSA Vote: Yes GLSA vote: no. GLSA Vote: No, closing noglsa CVE-2015-1852 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1852): The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144. |