OpenStack Compute (nova)

  1. Bug #1373993
  2. Comment #9

Comment 9 for bug 1373993

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/icehouse)

Reviewed: https://review.openstack.org/127203
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=d7c8e936f373695580721f418e3eea7a31c00ea1
Submitter: Jenkins
Branch: stable/icehouse

commit d7c8e936f373695580721f418e3eea7a31c00ea1
Author: Sylvain Bauza <email address hidden>
Date: Mon Sep 29 13:33:50 2014 +0200

    Fix unsafe SSL connection on TrustedFilter

    TrustedFilter was using httplib which doesn't check for CAs.
    Here the change is using Requests and verifies local CAs by default (or another
    one if provided)
    This effort is related to CVE 2013-2255.
    SecurityImpact

    ReleaseNote
    This patch adds an option attestation_insecure_ssl in TrustedFilter which can be
    used to verify CAs. The default value is set to True, disabling SSL certificate
    verification. While this is the insecure option, it was selected for backward
    compatibility reasons.

    Closes-Bug: #1373993
    (cherry picked from commit 30871e8702737edbbfbcbbb5f21858873b37685c)

    Conflicts:
     nova/tests/scheduler/test_host_filters.py

    Change-Id: I0b8e6319a4cc39876b1e396ef705f0fc5def1e44