Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 429834 (CVE-2012-3446)

Summary: <dev-python/libcloud-0.11.1 : possible SSL MITM due to invalid regexp used to validate target server hostname (CVE-2012-3446)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=845665
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-08-04 15:21:48 UTC 
From red hat bugzilla at $URL:

A man-in-the-middle vulnerability was reported [1] in Apache Libcloud, due to an invalid regular expression used to validate the target server hostname.  When establishing an SSL/TLS connection to a target server, a subset of the full target server hostname was marked as an acceptable match for the given hostname (such as a certificate specifying "aexample.com" being considered acceptable for "example.com").  Upstream version 0.11.1 includes a fix for this flaw.

[1] http://seclists.org/fulldisclosure/2012/Aug/55
Comment 1 Mike Gilbert gentoo-dev 2012-08-04 16:04:00 UTC 
dev-python/libcloud-0.11.1 has been added to the tree, and all older versions have been removed.
Comment 2 Agostino Sarubbo gentoo-dev 2012-08-04 16:04:57 UTC 
THanks
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-11-07 23:12:37 UTC 
CVE-2012-3446 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3446):
  Apache Libcloud before 0.11.1 uses an incorrect regular expression during
  verification of whether the server hostname matches a domain name in the
  subject's Common Name (CN) or subjectAltName field of the X.509 certificate,
  which allows man-in-the-middle attackers to spoof SSL servers via a crafted
  certificate.