OpenStack Compute (nova)

Xenserver glance plugin uses unsafe SSL connection

Bug #1374001 reported by Sean Dague on 2014-09-25

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Won't Fix	High	Unassigned

Bug Description

plugins/xenserver/xenapi/etc/xapi.d/plugins/glance _upload_tarball uses httplib.HTTPSConnection objects. In Python 2.x those do not perform CA checks so client connections are vulnerable to MiM attacks.

This is the specific version of https://bugs.launchpad.net/nova/+bug/1188189.

Tags:

Sean Dague (sdague) on 2014-09-25

Changed in nova:
status:	New → Triaged
importance:	Undecided → Critical
tags:	added: xenserver

melanie witt (melwitt) on 2014-09-29

Changed in nova:
assignee:	nobody → melanie witt (melwitt)

Revision history for this message

John Garbutt (johngarbutt) wrote on 2014-09-30:

#1

catch me on IRC if I can help out with this (johnthetubaguy)

Revision history for this message

John Garbutt (johngarbutt) wrote on 2014-09-30:

#2

its all python 2.4 code down there, and we haven't managed to get unit tests sorted yet :(

Revision history for this message

melanie witt (melwitt) wrote on 2014-09-30:

#3

Thanks John! I might not find you on IRC because of time difference. I noticed there aren't unit tests but I'm seeing if i can figure out how I can test it (not familiar with this script but wanted to help with bugs).

I have got some code -- haven't yet sorted how to let the script choose to be insecure (and not verify cert) if it wants. I'll put a review up today and add you so you can let me know what to change. :)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-01: Fix proposed to nova (master)

#4

Fix proposed to branch: master
Review: https://review.openstack.org/125249

Changed in nova:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-20: Change abandoned on nova (master)

#5

Change abandoned by Sean Dague (<email address hidden>) on branch: master
Review: https://review.openstack.org/125249
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message

Joe Gordon (jogo) wrote on 2014-12-03:

#6

patch is abandoned, not in progress

Changed in nova:
status:	In Progress → Confirmed

Revision history for this message

Michael Still (mikal) wrote on 2014-12-04:

#7

Single hypervisor, so not critical.

Changed in nova:
importance:	Critical → High
assignee:	melanie witt (melwitt) → nobody

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-23:

#8

Change abandoned by Sean Dague (<email address hidden>) on branch: master
Review: https://review.openstack.org/125249
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

deng.zhengyi (deng-zhengyi) on 2015-07-27

Changed in nova:
assignee:	nobody → deng.zhengyi (deng-zhengyi)

deng.zhengyi (deng-zhengyi) on 2015-07-27

Changed in nova:
assignee:	deng.zhengyi (deng-zhengyi) → nobody

Revision history for this message

Sean Dague (sdague) wrote on 2016-02-19:

#9

Due to limitations of the xen platform this is not really fixable. Closing.

Changed in nova:
status:	Confirmed → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.