title: Security updates and reports

## Libcloud Vulnerabilities

### [CVE-2012-3446] Possible SSL MITM due to invalid regular expression used to validate the target server hostname

**Severity**: Medium

**Versions Affected**:

Apache Libcloud 0.4.2 to 0.11.1

Versions prior to 0.4.2 don't perform any target server SSL certificate
validation.

**Description**:

When establishing a secure (SSL / TLS) connection to a target server an
invalid regular expression has been used for performing the hostname
verification. Subset instead of the full target server hostname has been
marked an an acceptable match for the given hostname.

For example, certificate with a hostname field of "aexample.com" was considered
a valid certificate for domain "example.com".

**Mitigation**:

Users should upgrade to the latest version (0.11.1) which includes a fix.

**Credit**:

This issue was discovered by researchers from the University of Texas at Austin
(Martin Georgiev, Suman Jana and Vitaly Shmatikov).

### [CVE-2010-4340] SSL MITM vulnerability

**Description**:

Python SSL library doesn't validate a host SSL certificate and as a
consequence, versions prior to **0.4.2** are vulnerable to a man-in-the-middle
attack.

**Affected versions**: All the versions prior to **0.4.2**

**Fix version**:

This vulnerability has been fixed in the version
**[0.4.2](/libcloud/downloads.html)**. You are strongly encouraged
to upgrade to this version and set libcloud.security.VERIFY_SSL_CERT variable
to True.

## Reporting a vulnerability

If you find a security vulnerability you are strongly encouraged to report it to
our private mailing list: [security@libcloud.apache.org](mailto:security@libcloud.apache.org)

PGP keys of the libcloud developers can be found at
[https://www.apache.org/dist/libcloud/KEYS](https://www.apache.org/dist/libcloud/KEYS)