Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2013-2255

Published: 1 November 2019

HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.

Notes

AuthorNote
jdstrand
swift not-affected per upstream
per upstream, all occurences are "for serverside node-to-node
communication that could be assumed to happen on private networks". 'use_ssl'
does convey protection, but there is no way to specify a ca_file. Adjusting
priority to low since client to server communications are not affected (just
server to server and middleware to server) and upstream and Ubuntu
documentation all state the OpenStack components should be on a trusted
network segment
uses httplib.HTTPSConnection objects which are not fixed in Ubuntu.
Could use pycurl, python3, or httplib2.
upstream will fix as a secure feature in a future version because
this will break upgrades. Nothing to be done at this time. Leaving 13.10
open, but deferred, since the 13.10 will have a newer version.
Ubuntu 13.10 released before fix from upstream, ignoring keystone
Ubuntu 13.10 released with python-keystoneclient 0.3, ignoring
Ubuntu 13.10 released before fix from upstream, ignoring cinder
Ubuntu 13.10 released before fix from upstream, ignoring nova

Priority

Low

CVSS 3 base score: 5.9

Status

Package Release Status
swift
Launchpad, Ubuntu, Debian
quantal Not vulnerable

raring Not vulnerable

upstream Not vulnerable

lucid Does not exist

precise Not vulnerable

quantum
Launchpad, Ubuntu, Debian
upstream Needs triage

lucid Does not exist

precise Ignored

quantal Ignored

raring Ignored

cinder
Launchpad, Ubuntu, Debian
upstream Needs triage

lucid Does not exist

precise Does not exist

quantal Ignored

raring Ignored

keystone
Launchpad, Ubuntu, Debian
upstream Needs triage

lucid Does not exist

precise Ignored

quantal Ignored

raring Ignored

python-keystoneclient
Launchpad, Ubuntu, Debian
upstream
Released (0.4.1)
lucid Does not exist

precise Ignored

quantal Ignored

raring Ignored

nova
Launchpad, Ubuntu, Debian
upstream Needs triage

lucid Does not exist

precise Ignored

quantal Ignored

raring Ignored