Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 476658 (CVE-2013-2255)

Summary: sys-cluster/nova, sys-auth/keystone: SSL Certificate Validation Security Issue (CVE-2013-2255)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: trivial    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-07-12 20:19:13 UTC
From :


A security issue has been reported in various OpenStack products, which can be exploited by malicious people to conduct spoofing attacks.

The security issue is caused due to the application not verifying the validity of the SSL certificates presented when connecting to the server. This can be exploited to spoof a valid server and e.g. conduct Man-in-the-Middle (MitM) attacks.

Please see the vendor's advisory for a list of affected products.

No official solution is currently available.

Original Advisory:
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-08-23 20:12:36 UTC
From what I understand about this bug, it is a core python bug for python 2, and documented in bug 480856.

Would this bug be solved by running dev-lang/python-2.7.5-r2 or newer?
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-09-11 17:57:12 UTC
ya, this has been fixed in bug 480856

This doesn't do anything on the m68k.

So, I'm removing myself from cc as this is fixed in the python update.  Feel free to readd if necessary.
Comment 3 Agostino Sarubbo gentoo-dev 2013-09-13 18:51:13 UTC
Sorry, wrong bug.

Should be closed as noglsa?
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-13 19:03:52 UTC
Guess so.