Comment 10 for bug 1411063
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote Re: S3token incorrect condition expression for ssl_insecure | #10 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0f7b58d
(Get the code!)
Thanks for the quick feedback. Here is the updated impact description draft:
Title: S3Token TLS cert verification option not honored
Reporter: Brant Knudson (IBM)
Products: keystonemiddleware, python-
Affects: versions up to 1.5.0 (keystonemiddle
versions up to 0.11.2 (python-
Description:
Brant Knudson from IBM reported a vulnerability in keystonemiddleware
(formerly shipped as python-
is set in a S3Token paste configuration file it is effectively ignored,
regardless of its value. As a result certificate verification will be
disabled, leaving TLS connections open to MITM attacks. All versions of
s3_token middleware with TLS settings configured are affected by this
flaw.