oslo.vmware uses insecure api for https connection
Bug #1354985 reported by
Grant Murphy
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
| oslo.vmware |
Fix Released
|
Medium
|
Davanum Srinivas (DIMS) | ||
Bug Description
It seems that oslo.vmware uses httplib for HTTPS connections:
http://
httplib does not verify SSL certificates. This leaves the client open to MITM attacks.
Suggest moving to requests as other client tools have done.
Revision history for this message
| Grant Murphy (gmurphy) wrote | #1 |
| Changed in ossa: | |
| status: | New → Won't Fix |
| information type: | Private Security → Public Security |
| Changed in oslo.vmware: | |
| status: | New → Fix Committed |
| importance: | Undecided → Medium |
| assignee: | nobody → Davanum Srinivas (DIMS) (dims-v) |
| Changed in oslo.vmware: | |
| milestone: | none → 0.10.0 |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
As this is used for internal communication we have not issued OSSA for this in the past. (e.g. https:/
Marking the OSSA task as wontfix and opening this as a public security issue.