CVE-2014-7144
Published: 2 October 2014
OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.
Notes
Author | Note |
---|---|
mdeslaur | will not be fixed before 14.10 goes EoL upstream patch requires a more recent version of oslo.config than what is currently in trusty |
Priority
Status
Package | Release | Status |
---|---|---|
python-keystoneclient Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Not vulnerable
(code not present)
|
|
trusty |
Released
(1:0.7.1-ubuntu1.2)
|
|
upstream |
Released
(1:0.10.1-2)
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Not vulnerable
(1:0.11.2-0ubuntu1)
|
|
Patches: upstream: https://review.openstack.org/#/c/112232/ (master) upstream: https://review.openstack.org/gitweb?p=openstack/python-keystoneclient.git;a=commit;h=dee8bc62d641f633342cfdc37a246916a40b2f33 |
||
python-keystonemiddleware Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(1.0.0-3)
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Not vulnerable
(1.3.1-0ubuntu2)
|
|
Patches: upstream: https://review.openstack.org/#/c/113191/ (master) upstream: https://review.openstack.org/gitweb?p=openstack/keystonemiddleware.git;a=commit;h=bc2613e06b7dee3a51191de900d98636181ba130 |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7144
- https://marc.info/?l=oss-security&m=141095376530829&w=2
- http://seclists.org/oss-sec/2014/q3/731
- http://lists.openstack.org/pipermail/openstack-announce/2014-September/000281.html
- https://ubuntu.com/security/notices/USN-2705-1
- NVD
- Launchpad
- Debian