Thanks for the quick feedback. Here is the updated impact description draft:
Title: S3Token TLS cert verification option not honored
Reporter: Brant Knudson (IBM)
Products: keystonemiddleware, python-keystoneclient
Affects: versions up to 1.5.0 (keystonemiddleware),
versions up to 0.11.2 (python-keystoneclient)
Description:
Brant Knudson from IBM reported a vulnerability in keystonemiddleware
(formerly shipped as python-keystoneclient). When the 'insecure' option
is set in a S3Token paste configuration file it is effectively ignored,
regardless of its value. As a result certificate verification will be
disabled, leaving TLS connections open to MITM attacks. All versions of
s3_token middleware with TLS settings configured are affected by this
flaw.
Thanks for the quick feedback. Here is the updated impact description draft:
Title: S3Token TLS cert verification option not honored keystoneclient ware), keystoneclient)
Reporter: Brant Knudson (IBM)
Products: keystonemiddleware, python-
Affects: versions up to 1.5.0 (keystonemiddle
versions up to 0.11.2 (python-
Description: keystoneclient) . When the 'insecure' option
Brant Knudson from IBM reported a vulnerability in keystonemiddleware
(formerly shipped as python-
is set in a S3Token paste configuration file it is effectively ignored,
regardless of its value. As a result certificate verification will be
disabled, leaving TLS connections open to MITM attacks. All versions of
s3_token middleware with TLS settings configured are affected by this
flaw.