Showing 1 - 3 of 3

CVE-2015-1852

Status Candidate

Overview

The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.

Related Files

Red Hat Security Advisory 2015-1685-01: Posted Aug 26, 2015; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2015-1685-01 - Python-keystoneclient is a client library and a command-line utility for interacting with the OpenStack Identity API. It was discovered that some items in the S3Token configuration as used by python-keystoneclient were incorrectly evaluated as strings, an issue similar to CVE-2014-7144. If the "insecure" option was set to "false", the option would be evaluated as true, resulting in TLS connections being vulnerable to man-in-the-middle attacks. Note: The "insecure" option defaults to false, so setups that do not specifically define "insecure=false" are not affected.; tags | advisory, python; systems | linux, redhat; advisories | CVE-2015-1852; SHA-256 | f7c56d4b381ea910926af2ea30028853daff29cd7f8167099a0f0009a6fa3119; Download | Favorite | View

Red Hat Security Advisory 2015-1677-01: Posted Aug 24, 2015; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2015-1677-01 - Python-keystonemiddleware is a client library and a command line utility for interacting with the OpenStack Identity API. Red Hat Enterprise OpenStack Platform 6.0 contains and uses both the python-keystonemiddleware and python-keystoneclient versions of this package. It was discovered that some items in the the S3Token configuration as used by python-keystonemiddleware and python-keystoneclient were incorrectly evaluated as strings, an issue similar to CVE-2014-7144. This would result in a setting for 'insecure=false' to evaluate as true and leave TLS connections open to MITM.; tags | advisory, python; systems | linux, redhat; advisories | CVE-2015-1852; SHA-256 | a1617b37a82aaba4dffd76c93a797fec5f99a0e2790e814aeaca542becd1f2b4; Download | Favorite | View

Ubuntu Security Notice USN-2705-1: Posted Aug 6, 2015; Authored by Ubuntu | Site security.ubuntu.com; Ubuntu Security Notice 2705-1 - Qin Zhao discovered Keystone disabled certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate. Brant Knudson discovered Keystone disabled certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate. Various other issues were also addressed.; tags | advisory, remote; systems | linux, ubuntu; advisories | CVE-2014-7144, CVE-2015-1852; SHA-256 | 562e20b238e38b9c71afcc748894aa1f5d751ae0722e5ca24eb36405f9cf09ad; Download | Favorite | View

Page 1 of 1 Back 1 Next

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

CVE-2015-1852

Overview

Related Files

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems