Bugzilla – Bug 856323
VUL-0: CVE-2013-6418: python-pywbem: TOCTOU vulnerability in certificate validation
Last modified: 2014-06-16 09:00:31 UTC
CVE-2013-6418 Florian Weimer discovered a TOCTOU (time of check to time of use) vulnerability in the way PyWBEM, a Python library for making CIM (Common Information Model) operations over HTTP using the WBEM CIM-XML protocol, performed certificate validation. An attacker could use this flaw to perform man-in-the-middle attacks against applications that are using PyWBEM. Acknowledgements: This issue was discovered by Florian Weimer of the Red Hat Product Security Team. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6418 https://bugzilla.redhat.com/show_bug.cgi?id=1039801
bugbot adjusting priority
Re-assign to maintainer See also http://sourceforge.net/mailarchive/message.php?msg_id=31796894
*** Bug 856274 has been marked as a duplicate of this bug. ***
Hi I've seen you made request https://build.suse.de/request/show/30421 also enabling ipv6. So, is this meant to be a maintenance update rather than a security update? We can handle it as a security update, but you need to resubmit it with the CVE then.
The SWAMPID for this issue is 55796. This issue was rated as moderate. Please submit fixed packages until 2014-01-27. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
(In reply to comment #4) > Hi > > I've seen you made request > > https://build.suse.de/request/show/30421 > > also enabling ipv6. So, is this meant to be a maintenance > update rather than a security update? > > We can handle it as a security update, but you need > to resubmit it with the CVE then. Hi, No, it is still security update, rather than maintenance update (at least in my eyes :-) ). I have added IPV6 patch, because ssl verification patch is based on changes introduced along with ipv6 patch. Therefore both changes are needed to be in sync with what has been fixed upstream.
ok, then just revoke your old SR, and make a new one including the CVE in the .changes
Update released for: python-pywbem Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: python-pywbem Products: SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0580-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 856108,856323 CVE References: CVE-2013-6418 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): python-pywbem-0.7-6.20.1 SUSE Linux Enterprise Server 11 SP3 (src): python-pywbem-0.7-6.20.1 SUSE Linux Enterprise Desktop 11 SP3 (src): python-pywbem-0.7-6.20.1