ID CVE-2015-1852 Type cve Reporter cve@mitre.org Modified 2016-12-24T02:59:00
Description
The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.
{"openvas": [{"lastseen": "2019-05-29T18:36:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1852"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-07-19T00:00:00", "id": "OPENVAS:1361412562310869782", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869782", "type": "openvas", "title": "Fedora Update for python-keystonemiddleware FEDORA-2015-11656", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for python-keystonemiddleware FEDORA-2015-11656\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869782\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-19 06:38:48 +0200 (Sun, 19 Jul 2015)\");\n script_cve_id(\"CVE-2015-1852\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for python-keystonemiddleware FEDORA-2015-11656\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python-keystonemiddleware'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"python-keystonemiddleware on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-11656\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162186.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"python-keystonemiddleware\", rpm:\"python-keystonemiddleware~1.3.2~1.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:36:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1852", "CVE-2014-7144"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2015-08-06T00:00:00", "id": "OPENVAS:1361412562310842402", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842402", "type": "openvas", "title": "Ubuntu Update for python-keystoneclient USN-2705-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for python-keystoneclient USN-2705-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842402\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-08-06 07:02:07 +0200 (Thu, 06 Aug 2015)\");\n script_cve_id(\"CVE-2014-7144\", \"CVE-2015-1852\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for python-keystoneclient USN-2705-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python-keystoneclient'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Qin Zhao discovered Keystone disabled\ncertification verification when the 'insecure' option is set in a paste\nconfiguration (paste.ini) file regardless of the value, which allows remote\nattackers to conduct man-in-the-middle attacks via a crafted certificate.\n(CVE-2014-7144)\n\nBrant Knudson discovered Keystone disabled certification verification when\nthe 'insecure' option is set in a paste configuration (paste.ini)\nfile regardless of the value, which allows remote attackers to conduct\nman-in-the-middle attacks via a crafted certificate. (CVE-2015-1852)\");\n script_tag(name:\"affected\", value:\"python-keystoneclient on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"USN\", value:\"2705-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2705-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"python-keystoneclient\", ver:\"1:0.7.1-ubuntu1.2\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2020-06-05T09:27:41", "description": "Update to upstream 1.3.2 which incldes fix for CVE-2015-1852 Update to\nupstream 1.3.1 + S3token incorrect condition expression for\nssl_insecure CVE-2015-1852\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 16, "published": "2015-07-20T00:00:00", "title": "Fedora 22 : python-keystonemiddleware-1.3.2-1.fc22 (2015-11656)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1852"], "modified": "2015-07-20T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python-keystonemiddleware", "cpe:/o:fedoraproject:fedora:22"], "id": "FEDORA_2015-11656.NASL", "href": "https://www.tenable.com/plugins/nessus/84855", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-11656.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84855);\n script_version(\"2.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2015-1852\");\n script_xref(name:\"FEDORA\", value:\"2015-11656\");\n\n script_name(english:\"Fedora 22 : python-keystonemiddleware-1.3.2-1.fc22 (2015-11656)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to upstream 1.3.2 which incldes fix for CVE-2015-1852 Update to\nupstream 1.3.1 + S3token incorrect condition expression for\nssl_insecure CVE-2015-1852\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1209527\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162186.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d3981e19\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-keystonemiddleware package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python-keystonemiddleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"python-keystonemiddleware-1.3.2-1.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-keystonemiddleware\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-09-23T18:55:22", "description": "Qin Zhao discovered Keystone disabled certification verification when\nthe 'insecure' option is set in a paste configuration (paste.ini) file\nregardless of the value, which allows remote attackers to conduct\nman-in-the-middle attacks via a crafted certificate. (CVE-2014-7144)\n\nBrant Knudson discovered Keystone disabled certification verification\nwhen the 'insecure' option is set in a paste configuration (paste.ini)\nfile regardless of the value, which allows remote attackers to conduct\nman-in-the-middle attacks via a crafted certificate. (CVE-2015-1852).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 22, "published": "2015-08-06T00:00:00", "title": "Ubuntu 14.04 LTS / 15.04 : python-keystoneclient, python-keystonemiddleware vulnerabilities (USN-2705-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1852", "CVE-2014-7144"], "modified": "2015-08-06T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:15.04", "p-cpe:/a:canonical:ubuntu_linux:python-keystoneclient", "p-cpe:/a:canonical:ubuntu_linux:python-keystonemiddleware", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-2705-1.NASL", "href": "https://www.tenable.com/plugins/nessus/85253", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2705-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85253);\n script_version(\"2.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/22\");\n\n script_cve_id(\"CVE-2014-7144\", \"CVE-2015-1852\");\n script_xref(name:\"USN\", value:\"2705-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 15.04 : python-keystoneclient, python-keystonemiddleware vulnerabilities (USN-2705-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Qin Zhao discovered Keystone disabled certification verification when\nthe 'insecure' option is set in a paste configuration (paste.ini) file\nregardless of the value, which allows remote attackers to conduct\nman-in-the-middle attacks via a crafted certificate. (CVE-2014-7144)\n\nBrant Knudson discovered Keystone disabled certification verification\nwhen the 'insecure' option is set in a paste configuration (paste.ini)\nfile regardless of the value, which allows remote attackers to conduct\nman-in-the-middle attacks via a crafted certificate. (CVE-2015-1852).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2705-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected python-keystoneclient and / or\npython-keystonemiddleware packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python-keystoneclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python-keystonemiddleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:15.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/08/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2015-2020 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|15\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 15.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"python-keystoneclient\", pkgver:\"1:0.7.1-ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"python-keystoneclient\", pkgver:\"1:1.2.0-0ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"python-keystonemiddleware\", pkgver:\"1.5.0-0ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-keystoneclient / python-keystonemiddleware\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "ubuntu": [{"lastseen": "2020-07-02T11:44:11", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1852", "CVE-2014-7144"], "description": "Qin Zhao discovered Keystone disabled certification verification when \nthe \"insecure\" option is set in a paste configuration (paste.ini) \nfile regardless of the value, which allows remote attackers to conduct \nman-in-the-middle attacks via a crafted certificate. (CVE-2014-7144)\n\nBrant Knudson discovered Keystone disabled certification verification when \nthe \"insecure\" option is set in a paste configuration (paste.ini) \nfile regardless of the value, which allows remote attackers to conduct \nman-in-the-middle attacks via a crafted certificate. (CVE-2015-1852)", "edition": 5, "modified": "2015-08-06T00:00:00", "published": "2015-08-06T00:00:00", "id": "USN-2705-1", "href": "https://ubuntu.com/security/notices/USN-2705-1", "title": "Keystone vulnerabilities", "type": "ubuntu", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "redhat": [{"lastseen": "2019-08-13T18:45:25", "bulletinFamily": "unix", "cvelist": ["CVE-2014-7144", "CVE-2015-1852"], "description": "Python-keystonemiddleware (formely python-keystoneclient) is a client library\nand a command line utility for interacting with the OpenStack Identity API.\n\nRed Hat Enterprise OpenStack Platform 6.0 contains and uses both the\npython-keystonemiddleware and python-keystoneclient versions of this\npackage.\n\nIt was discovered that some items in the the S3Token configuration as used\nby python-keystonemiddleware and python-keystoneclient were incorrectly\nevaluated as strings, an issue similar to CVE-2014-7144. This would result\nin a setting for 'insecure=false' to evaluate as true and leave TLS\nconnections open to MITM. (CVE-2015-1852)\n\nRed Hat would like to thank the OpenStack project for reporting this issue.\nUpstream acknowledges Brant Knudson from IBM as the original reporter.\n\nNote: \"insecure\" defaults to false, so setups that do not specifically define\n\"insecure=false\" are unaffected.\n\nAll python-keystoneclient users are advised to upgrade to these updated\npackages, which correct these issues.\n", "modified": "2018-03-19T16:26:56", "published": "2015-08-24T04:00:00", "id": "RHSA-2015:1677", "href": "https://access.redhat.com/errata/RHSA-2015:1677", "type": "redhat", "title": "(RHSA-2015:1677) Moderate: python-keystoneclient and python-keystonemiddlware security update", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-08-13T18:45:27", "bulletinFamily": "unix", "cvelist": ["CVE-2014-7144", "CVE-2015-1852"], "description": "Python-keystoneclient is a client library and a command-line utility\nfor interacting with the OpenStack Identity API.\n\nIt was discovered that some items in the S3Token configuration as used by\npython-keystoneclient were incorrectly evaluated as strings, an issue\nsimilar to CVE-2014-7144. If the \"insecure\" option was set to \"false\", the\noption would be evaluated as true, resulting in TLS connections being\nvulnerable to man-in-the-middle attacks. Note: The \"insecure\" option\ndefaults to false, so setups that do not specifically define\n\"insecure=false\" are not affected. (CVE-2015-1852)\n\nRed Hat would like to thank the OpenStack project for reporting this issue.\nUpstream acknowledges Brant Knudson from IBM as the original reporter.\n\nAll python-keystoneclient users are advised to upgrade to these updated\npackages, which contain a backported patch to correct this issue.\n", "modified": "2018-06-07T02:47:57", "published": "2015-08-25T04:00:00", "id": "RHSA-2015:1685", "href": "https://access.redhat.com/errata/RHSA-2015:1685", "type": "redhat", "title": "(RHSA-2015:1685) Moderate: python-keystoneclient security update", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-1852", "CVE-2014-7144"], "description": "Certificates validation bypass.", "edition": 1, "modified": "2015-08-24T00:00:00", "published": "2015-08-24T00:00:00", "id": "SECURITYVULNS:VULN:14650", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14650", "title": "OpenStack Keystone restrictions bypass", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:01", "bulletinFamily": "software", "cvelist": ["CVE-2015-1852", "CVE-2014-7144"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2705-1\r\nAugust 06, 2015\r\n\r\npython-keystoneclient, python-keystonemiddleware vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n\r\nSummary:\r\n\r\nKeystone could be made to expose sensitive information over the\r\nnetwork.\r\n\r\nSoftware Description:\r\n- python-keystoneclient: Client library for OpenStack Identity API\r\n- python-keystonemiddleware: Client library for OpenStack Identity API\r\n\r\nDetails:\r\n\r\nQin Zhao discovered Keystone disabled certification verification when\r\nthe "insecure" option is set in a paste configuration (paste.ini)\r\nfile regardless of the value, which allows remote attackers to conduct\r\nman-in-the-middle attacks via a crafted certificate. (CVE-2014-7144)\r\n\r\nBrant Knudson discovered Keystone disabled certification verification when\r\nthe "insecure" option is set in a paste configuration (paste.ini)\r\nfile regardless of the value, which allows remote attackers to conduct\r\nman-in-the-middle attacks via a crafted certificate. (CVE-2015-1852)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.04:\r\n python-keystoneclient 1:1.2.0-0ubuntu1.1\r\n python-keystonemiddleware 1.5.0-0ubuntu1.1\r\n\r\nUbuntu 14.04 LTS:\r\n python-keystoneclient 1:0.7.1-ubuntu1.2\r\n\r\nAfter a standard system update you need to restart Keystone to make\r\nall the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2705-1\r\n CVE-2014-7144, CVE-2015-1852\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/python-keystoneclient/1:1.2.0-0ubuntu1.1\r\n https://launchpad.net/ubuntu/+source/python-keystonemiddleware/1.5.0-0ubuntu1.1\r\n https://launchpad.net/ubuntu/+source/python-keystoneclient/1:0.7.1-ubuntu1.2\r\n\r\n\r\n\r\n-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-08-24T00:00:00", "published": "2015-08-24T00:00:00", "id": "SECURITYVULNS:DOC:32426", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32426", "title": "[USN-2705-1] Keystone vulnerabilities", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}
