CVE-2014-7144 Information

Description

OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the \insecure\ option is set in a paste configuration (paste.ini) file regardless of the value which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.

Reference

http://rhn.redhat.com/errata/RHSA-2014-1783.html http://rhn.redhat.com/errata/RHSA-2014-1784.html http://rhn.redhat.com/errata/RHSA-2015-0020.html http://secunia.com/advisories/62709 http://www.openwall.com/lists/oss-security/2014/09/25/51 http://www.securityfocus.com/bid/69864 http://www.ubuntu.com/usn/USN-2705-1 https://bugs.launchpad.net/python-keystoneclient/+bug/1353315