Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 476658 (CVE-2013-2255) - sys-cluster/nova, sys-auth/keystone: SSL Certificate Validation Security Issue (CVE-2013-2255)
Summary: sys-cluster/nova, sys-auth/keystone: SSL Certificate Validation Security Issu...
Status: RESOLVED FIXED
Alias: CVE-2013-2255
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/54089/
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-12 20:19 UTC by Agostino Sarubbo
Modified: 2013-09-13 19:03 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-07-12 20:19:13 UTC
From https://secunia.com/advisories/54089/ :

Description

A security issue has been reported in various OpenStack products, which can be exploited by malicious people to conduct spoofing attacks.

The security issue is caused due to the application not verifying the validity of the SSL certificates presented when connecting to the server. This can be exploited to spoof a valid server and e.g. conduct Man-in-the-Middle (MitM) attacks.

Please see the vendor's advisory for a list of affected products.


Solution:
No official solution is currently available.

Original Advisory:
OSSN:
https://bugs.launchpad.net/ossn/+bug/1188189
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-08-23 20:12:36 UTC
From what I understand about this bug, it is a core python bug for python 2, and documented in bug 480856.

Would this bug be solved by running dev-lang/python-2.7.5-r2 or newer?
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-09-11 17:57:12 UTC
ya, this has been fixed in bug 480856

This doesn't do anything on the m68k.

So, I'm removing myself from cc as this is fixed in the python update.  Feel free to readd if necessary.
Comment 3 Agostino Sarubbo gentoo-dev 2013-09-13 18:51:13 UTC
Sorry, wrong bug.

Should be closed as noglsa?
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-13 19:03:52 UTC
Guess so.