Launchpad CVE tracker

CVE 2015-1852

The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.

Related bugs and status

CVE-2015-1852 (Candidate) is related to these bugs:

Bug #1411063: [OSSA 2015-007] S3token incorrect condition expression for ssl_insecure (CVE-2015-1852)

		In	Importance	Status
1411063	[OSSA 2015-007] S3token incorrect condition expression for ssl_insecure (CVE-2015-1852)	keystonemiddleware	Critical	Fix Released
1411063	[OSSA 2015-007] S3token incorrect condition expression for ssl_insecure (CVE-2015-1852)	OpenStack Security Advisory	High	Fix Released
1411063	[OSSA 2015-007] S3token incorrect condition expression for ssl_insecure (CVE-2015-1852)	keystonemiddleware kilo	Critical	Fix Released
1411063	[OSSA 2015-007] S3token incorrect condition expression for ssl_insecure (CVE-2015-1852)	python-keystoneclient	Critical	Fix Released
1411063	[OSSA 2015-007] S3token incorrect condition expression for ssl_insecure (CVE-2015-1852)	python-keystoneclient kilo	Critical	Fix Released
1411063	[OSSA 2015-007] S3token incorrect condition expression for ssl_insecure (CVE-2015-1852)	keystonemiddleware juno	Critical	Fix Released

Bug #1442579: [pre-OSSA] Vulnerability in OpenStack keystonemiddleware (CVE-2015-1852)

		In	Importance	Status
1442579	[pre-OSSA] Vulnerability in OpenStack keystonemiddleware (CVE-2015-1852)	Mirantis OpenStack	Critical	Fix Released
1442579	[pre-OSSA] Vulnerability in OpenStack keystonemiddleware (CVE-2015-1852)	Mirantis OpenStack 6.0.x	Critical	Fix Released
1442579	[pre-OSSA] Vulnerability in OpenStack keystonemiddleware (CVE-2015-1852)	Mirantis OpenStack 6.1.x	Critical	Fix Released
1442579	[pre-OSSA] Vulnerability in OpenStack keystonemiddleware (CVE-2015-1852)	Mirantis OpenStack 7.0.x	Critical	Fix Released
1442579	[pre-OSSA] Vulnerability in OpenStack keystonemiddleware (CVE-2015-1852)	Mirantis OpenStack 5.0.x	Critical	Fix Committed
1442579	[pre-OSSA] Vulnerability in OpenStack keystonemiddleware (CVE-2015-1852)	Mirantis OpenStack 5.1.x	Critical	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2015-1852

References