From ${URL} : The OpenStack project reports: "" Title: TLS cert verification option not honoured in paste configs Reporter: Qin Zhao (IBM) Products: keystonemiddleware, python-keystoneclient Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.10.1 (python-keystoneclient) Description: Qin Zhao from IBM reported a vulnerability in keystonemiddleware (formerly shipped as python-keystoneclient). When the 'insecure' SSL option is set in a paste configuration file it is effectively ignored, regardless of its value. As a result certificate verification will be disabled, leaving TLS connections open to MITM attacks. All versions of keystonemiddleware with TLS settings configured via a paste.ini file are affected by this flaw. "" Upstream fix: https://review.openstack.org/#/c/112232/ References: http://launchpad.net/bugs/1353315 http://www.openwall.com/lists/oss-security/2014/09/17/3 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
fix in tree as 0.11.0 vulnerable removed (0.10.1) removing myself and openstack from cc
Maintainer(s), Thank you for cleanup! No GLSA needed as there are no stable versions.
CVE-2014-7144 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7144): OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.
