CVE-2013-6396

Publication date 18 February 2014

Last updated 24 July 2024

The OpenStack Python client library for Swift (python-swiftclient) 1.0 through 1.9.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
python-swiftclient	14.04 LTS trusty	Not in release
	13.10 saucy	Ignored
	13.04 raring	Not affected
	12.10 quantal	Not affected
	12.04 LTS precise	Not in release
	10.04 LTS lucid	Not in release

How can I get the fixes?
What do statuses mean?

Notes

mdeslaur

OSSA 2014-005

jdstrand

certificate verification checks are completely missing. Patch is intrusive and may not be applied to 13.10. Patch adds an --insecure option that would have to be enabled by default in the security update so as not to break production systems. Depending on upstream's decision, Ubuntu may only fix 14.04.

mdeslaur

fixed in 2.0

References

MITRE
NVD
Launchpad
Debian

Other references

http://lists.openstack.org/pipermail/openstack-announce/2014-February/000198.html
https://www.cve.org/CVERecord?id=CVE-2013-6396