Debian Bug report logs -
#718282
CVE-2013-4111: Missing SSL certificate check in Python glance client
Reported by: Thomas Goirand <zigo@debian.org>
Date: Mon, 29 Jul 2013 16:21:01 UTC
Severity: grave
Tags: patch, security
Found in version python-glanceclient/1:0.9.0-1
Fixed in version python-glanceclient/1:0.9.0-2
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#718282; Package python-glanceclient.
(Mon, 29 Jul 2013 16:21:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
New Bug report received and forwarded. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Mon, 29 Jul 2013 16:21:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-glanceclient
Version: 1:0.9.0-1
Severity: grave
Tags: patch
Copying the email from the security team of OpenStack.
Thomas Goirand (zigo)
A vulnerability was fixed publicly in OpenStack Python Glance client
recently, and we think it warrants a security advisory to make sure
everyone is aware of it.
We obviously can't embargo anything here since the issue is public
already, but we figured you would still appreciate a day heads-up
before we publish the advisory and attract the rest of the world
attention on the issue.
Title: Missing SSL certificate check in Python glance client
Reporter: Thomas Leaman (HP)
Products: python-glanceclient
Affects: All versions
Description:
Thomas Leaman from HP reported that the Python Glance client was
failing to properly check certificates during the establishment of
HTTPS connections. A remote attacker with access over segments of the
network between client and server could potentially set up a man-in
the-middle attack and access the contents of the Glance client request
(or response).
python-glanceclient fix (will be included in future release):
https://review.openstack.org/#/c/33464/
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4111
https://bugs.launchpad.net/python-glanceclient/+bug/1192229
Regards,
- --
Thierry Carrez
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Mon, 29 Jul 2013 17:06:08 GMT) (full text, mbox, link).
Notification sent
to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer.
(Mon, 29 Jul 2013 17:06:08 GMT) (full text, mbox, link).
Message #10 received at 718282-close@bugs.debian.org (full text, mbox, reply):
Source: python-glanceclient
Source-Version: 1:0.9.0-2
We believe that the bug you reported is fixed in the latest version of
python-glanceclient, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 718282@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated python-glanceclient package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 30 May 2013 13:55:25 +0800
Source: python-glanceclient
Binary: python-glanceclient
Architecture: source all
Version: 1:0.9.0-2
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
python-glanceclient - Client library for Openstack glance server
Closes: 718282
Changes:
python-glanceclient (1:0.9.0-2) unstable; urgency=high
.
* Ran wrap-and-sort.
* CVE-2013-4111: Fix missing SSL certificate check (Closes: #718282).
* Cleans correctly so the package can be built twice.
* Using testrepository instead of run_test.py for running tests.
* Standards-Version: is now 3.9.4.
* Explicitly using --buildsystem=python_distutils.
Checksums-Sha1:
d87dfb192641c4c895c0bb1b45b24aa829de1fa3 2024 python-glanceclient_0.9.0-2.dsc
050c483724cb98e9d117010db951a7fe9b2e2124 29421 python-glanceclient_0.9.0-2.debian.tar.gz
fae45c26f385bf0f732832944103da56756ba40c 57498 python-glanceclient_0.9.0-2_all.deb
Checksums-Sha256:
005e0b47908df29a50581af4bbf98e2f95060cb9d33f0b049d095667831b075c 2024 python-glanceclient_0.9.0-2.dsc
faad76540dccccee17402a3702eed4505e3a48f0494a7cc737fc4bac95a06f0e 29421 python-glanceclient_0.9.0-2.debian.tar.gz
b7313dc0916999944f455c7fdc873203aa7b7cc4f64c962207f57c240a3b1892 57498 python-glanceclient_0.9.0-2_all.deb
Files:
b4cad73d3b9a1c5505f1d4f3739b2421 2024 python extra python-glanceclient_0.9.0-2.dsc
4c465413cc89eafe06227dd20c15c007 29421 python extra python-glanceclient_0.9.0-2.debian.tar.gz
32877dabd213967bbd8168dbe3afad18 57498 python extra python-glanceclient_0.9.0-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlH2nhYACgkQl4M9yZjvmkknGQCghXR6YvVFRO6wLgzRUeBdEB12
YAEAniAXnSkt3Er77vRuzZcmiUH/9eTV
=G361
-----END PGP SIGNATURE-----
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 29 Jul 2013 19:54:08 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 29 Aug 2013 07:30:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:54:18 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon