So the middleware is still present with python-keystoneclient, so I guess it should also be fixed there.
Here is a first impact description draft:
Title: S3Token TLS cert verification option not honoured in paste configs
Reporter: Brant Knudson (IBM)
Products: keystonemiddleware
Affects: versions up to 1.5.0 (keystonemiddleware),
versions up to 0.11.2 (python-keystoneclient)
Description:
Brant Knudson from IBM reported a vulnerability in keystonemiddleware
(formerly shipped as python-keystoneclient). When the 'insecure' option
is set in a S3Token paste configuration file it is effectively ignored,
regardless of its value. As a result certificate verification will be
disabled, leaving TLS connections open to MITM attacks. All versions of
s3_token middleware with TLS settings configured via a paste.ini file are
affected by this flaw.
So the middleware is still present with python- keystoneclient, so I guess it should also be fixed there.
Here is a first impact description draft:
Title: S3Token TLS cert verification option not honoured in paste configs ware), keystoneclient)
Reporter: Brant Knudson (IBM)
Products: keystonemiddleware
Affects: versions up to 1.5.0 (keystonemiddle
versions up to 0.11.2 (python-
Description: keystoneclient) . When the 'insecure' option
Brant Knudson from IBM reported a vulnerability in keystonemiddleware
(formerly shipped as python-
is set in a S3Token paste configuration file it is effectively ignored,
regardless of its value. As a result certificate verification will be
disabled, leaving TLS connections open to MITM attacks. All versions of
s3_token middleware with TLS settings configured via a paste.ini file are
affected by this flaw.