Bugzilla – Bug 831947
VUL-1: CVE-2013-4111: openstack-glance: missing ssl certificate check
Last modified: 2013-10-02 18:44:34 UTC
Patch available from openstack.org [1]. [1] https://review.openstack.org/#/c/33464/8/glanceclient/common/http.py,unified
Doesn't apply to Essex, so no Cloud-1 update necessary. Fix backported to Cloud:OpenStack:Folsom. Maintenance update for 12.3 submitted: sr#185899
This is an autogenerated message for OBS integration: This bug (831947) was mentioned in https://build.opensuse.org/request/show/185899 Maintenance /
released
openSUSE-SU-2013:1330-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 831947 CVE References: CVE-2013-4111 Sources used: openSUSE 12.3 (src): python-glanceclient-0.6.0.14.gc057fe4+git.1355912586.c057fe4-2.4.1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4111 The Python client library for Glance (python-glanceclient) before 0.10.0 does not properly check the preverify_ok value, which prevents the server hostname from being verified with a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate and allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.