[CVE-2012-3446] Possible SSL MITM due to invalid regular expression used to validate the target server hostname
Apache Libcloud 0.4.2 to 0.11.1
Versions prior to 0.4.2 don't perform any target server SSL certificate validation.
When establishing a secure (SSL / TLS) connection to a target server an invalid regular expression has been used for performing the hostname verification. Subset instead of the full target server hostname has been marked an an acceptable match for the given hostname.
For example, certificate with a hostname field of "aexample.com" was considered a valid certificate for domain "example.com".
Users should upgrade to the latest version (0.11.1) which includes a fix.
This issue was discovered by researchers from the University of Texas at Austin (Martin Georgiev, Suman Jana and Vitaly Shmatikov).
[CVE-2010-4340] SSL MITM vulnerability
Python SSL library doesn't validate a host SSL certificate and as a consequence, versions prior to 0.4.2 are vulnerable to a man-in-the-middle attack.
Affected versions: All the versions prior to 0.4.2
This vulnerability has been fixed in the version 0.4.2. You are strongly encouraged to upgrade to this version and set libcloud.security.VERIFY_SSL_CERT variable to True.
Reporting a vulnerability
If you find a security vulnerability you are strongly encouraged to report it to our private mailing list: email@example.com
PGP keys of the libcloud developers can be found at https://www.apache.org/dist/libcloud/KEYS