Candidate: CVE-2013-6396
PublicDate: 2014-02-18 19:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6396
 http://lists.openstack.org/pipermail/openstack-announce/2014-February/000198.html
Description:
 The OpenStack Python client library for Swift (python-swiftclient) 1.0
 through 1.9.0 does not verify X.509 certificates from SSL servers, which
 allows man-in-the-middle attackers to spoof servers and obtain sensitive
 information via a crafted certificate.
Ubuntu-Description:
Notes:
 mdeslaur> OSSA 2014-005
 jdstrand> certificate verification checks are completely missing. Patch is
  intrusive and may not be applied to 13.10. Patch adds an --insecure option
  that would have to be enabled by default in the security update so as not to
  break production systems. Depending on upstream's decision, Ubuntu may only
  fix 14.04.
 mdeslaur> fixed in 2.0
Bugs:
 https://bugs.launchpad.net/python-swiftclient/+bug/1199783
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=730626
 https://bugs.gentoo.org/show_bug.cgi?id=491368
 https://review.openstack.org/#/c/33473/
Priority: low
Discovered-by: Thomas Leaman
Assigned-to:
CVSS: 

Patches_python-swiftclient:
upstream_python-swiftclient: needs-triage
lucid_python-swiftclient: DNE
precise_python-swiftclient: DNE
quantal_python-swiftclient: not-affected (code-not-present)
raring_python-swiftclient: not-affected (code-not-present)
saucy_python-swiftclient: ignored (reached end-of-life)
trusty_python-swiftclient: not-affected (1:2.0.3-0ubuntu1)
trusty/esm_python-swiftclient: DNE (trusty was not-affected [1:2.0.3-0ubuntu1])
devel_python-swiftclient: not-affected (1:2.0.3-0ubuntu1)