Bug 476658 (CVE-2013-2255)

Summary:	sys-cluster/nova, sys-auth/keystone: SSL Certificate Validation Security Issue (CVE-2013-2255)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://secunia.com/advisories/54089/
Whiteboard:	~4 [noglsa]
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2013-07-12 20:19:13 UTC

From https://secunia.com/advisories/54089/ :

Description

A security issue has been reported in various OpenStack products, which can be exploited by malicious people to conduct spoofing attacks.

The security issue is caused due to the application not verifying the validity of the SSL certificates presented when connecting to the server. This can be exploited to spoof a valid server and e.g. conduct Man-in-the-Middle (MitM) attacks.

Please see the vendor's advisory for a list of affected products.


Solution:
No official solution is currently available.

Original Advisory:
OSSN:
https://bugs.launchpad.net/ossn/+bug/1188189

Comment 1 Matthew Thode ( prometheanfire ) archtester

2013-08-23 20:12:36 UTC

From what I understand about this bug, it is a core python bug for python 2, and documented in bug 480856.

Would this bug be solved by running dev-lang/python-2.7.5-r2 or newer?

Comment 2 Matthew Thode ( prometheanfire ) archtester

2013-09-11 17:57:12 UTC

ya, this has been fixed in bug 480856

This doesn't do anything on the m68k.

So, I'm removing myself from cc as this is fixed in the python update.  Feel free to readd if necessary.

Comment 3 Agostino Sarubbo gentoo-dev

2013-09-13 18:51:13 UTC

Sorry, wrong bug.

Should be closed as noglsa?

Comment 4 Chris Reffett (RETIRED) gentoo-dev

2013-09-13 19:03:52 UTC

Guess so.