Package: python-glanceclient Version: 1:0.9.0-1 Severity: grave Tags: patch
Copying the email from the security team of OpenStack. Thomas Goirand (zigo) A vulnerability was fixed publicly in OpenStack Python Glance client recently, and we think it warrants a security advisory to make sure everyone is aware of it. We obviously can't embargo anything here since the issue is public already, but we figured you would still appreciate a day heads-up before we publish the advisory and attract the rest of the world attention on the issue. Title: Missing SSL certificate check in Python glance client Reporter: Thomas Leaman (HP) Products: python-glanceclient Affects: All versions Description: Thomas Leaman from HP reported that the Python Glance client was failing to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in the-middle attack and access the contents of the Glance client request (or response). python-glanceclient fix (will be included in future release): https://review.openstack.org/#/c/33464/ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4111 https://bugs.launchpad.net/python-glanceclient/+bug/1192229 Regards, - -- Thierry Carrez -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
