Summary: | dev-python/python-glanceclient : Module SSL Certificate Verification Security Issue (CVE-2013-4111) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/54313/ | ||
Whiteboard: | ~4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-07-30 15:26:18 UTC
I updated glanceclient to 0.10.0 (which includes the fix) and removed the bad versions, this bug should be closable. I'm removing myself as I see this as closable, re-add me if you don't think so. Okay then. CVE-2013-4111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4111): The Python client library for Glance (python-glanceclient) before 0.10.0 does not properly check the preverify_ok value, which prevents the server hostname from being verified with a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate and allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |