UbuntuUpdates.org

Package "swift"

Name: swift

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • distributed virtual object store - Python libraries
  • distributed virtual object store - account server
  • distributed virtual object store - container server
  • distributed virtual object store - documentation

Latest version: 1.13.1-0ubuntu1.5
Release: trusty (14.04)
Level: security
Repository: main

Links



Other versions of "swift" in Trusty

Repository Area Version
base main 1.13.1-0ubuntu1
base universe 1.13.1-0ubuntu1
security universe 1.13.1-0ubuntu1.5
updates universe 1.13.1-0ubuntu1.5
updates main 1.13.1-0ubuntu1.5

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.13.1-0ubuntu1.5 2017-10-11 14:06:56 UTC

  swift (1.13.1-0ubuntu1.5) trusty-security; urgency=medium

  [ Jamie Strandboge ]
  * SECURITY UPDATE: disallow unsafe tempurl operations to point to
    unauthorized data
    - debian/patches/CVE-2015-5223.patch: disallow creation of DLO object
      manifests if non-safe tempurl request includes X-Object-Manifest header
    - CVE-2015-5223
    - LP: #1453948

  [ Marc Deslauriers ]
  * SECURITY UPDATE: DoS via incorrectly closed client connections
    - debian/patches/CVE-2016-0737.patch: get better at closing WSGI
      iterables in swift/common/middleware/dlo.py,
      swift/common/middleware/slo.py, swift/common/request_helpers.py,
      swift/common/swob.py, swift/common/utils.py,
      test/unit/common/middleware/helpers.py,
      test/unit/common/middleware/test_dlo.py,
      test/unit/common/middleware/test_slo.py.
    - CVE-2016-0737
  * SECURITY UPDATE: DoS via incorrectly closed server connections
    - debian/patches/CVE-2016-0738.patch: fix memory/socket leak in proxy
      on truncated SLO/DLO GET in swift/common/request_helpers.py,
      test/unit/common/middleware/test_slo.py.
    - CVE-2016-0738
  * Thanks to Red Hat for the patch backports!
  * debian/patches/fix-ubuntu-tests.patch: disable another test that no
    longer works on buildds.

 -- Marc Deslauriers <email address hidden> Tue, 12 Sep 2017 07:36:43 -0400

Source diff to previous version
1453948 [OSSA 2015-016] all PUT tempurls leak existence via DLO manifest attack (CVE-2015-5223)
CVE-2015-5223 OpenStack Object Storage (Swift) before 2.4.0 allows attackers to obtain sensitive information via a PUT tempurl and a DLO object manifest that refer
CVE-2016-0737 OpenStack Object Storage (Swift) before 2.4.0 does not properly close client connections, which allows remote attackers to cause a denial of service
CVE-2016-0738 OpenStack Object Storage (Swift) before 2.3.1 (Kilo), 2.4.x, and 2.5.x before 2.5.1 (Liberty) do not properly close server connections, which allows

Version: 1.13.1-0ubuntu1.2 2015-08-06 03:06:44 UTC

  swift (1.13.1-0ubuntu1.2) trusty-security; urgency=medium

  * SECURITY UPDATE: metadata constraint bypass via multiple requests
    - debian/patches/CVE-2014-7960.patch: add metadata checks to
      swift/account/server.py, swift/common/constraints.py,
      swift/common/db.py, swift/container/server.py, added tests to
      test/functional/test_account.py, test/functional/test_container.py,
      test/unit/common/test_db.py.
    - CVE-2014-7960
  * SECURITY UPDATE: object deletion via x-versions-location container
    - debian/patches/CVE-2015-1856.patch: prevent unauthorized delete in
      swift/proxy/controllers/obj.py, added tests to
      test/functional/tests.py, test/unit/proxy/test_server.py.
    - CVE-2015-1856

 -- Marc Deslauriers Wed, 22 Jul 2015 11:03:05 -0400

Source diff to previous version
CVE-2014-7960 OpenStack Object Storage (Swift) before 2.2.0 allows remote authenticated users to bypass the max_meta_count and other metadata constraints via multi
CVE-2015-1856 OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an

Version: 1.13.1-0ubuntu1.1 2014-06-25 23:06:21 UTC

  swift (1.13.1-0ubuntu1.1) trusty-security; urgency=medium

  * SECURITY UPDATE: properly quote www-authenticate header value
    - debian/patches/CVE-2014-3497.patch: urllib2.quote() the Swift realm in
      swift/common/swob.py
    - CVE-2014-3497
    - LP: #1327414
 -- Jamie Strandboge <email address hidden> Tue, 24 Jun 2014 07:08:11 -0500

1327414 [OSSA 2014-020] www-authenticate value isn't quoted (CVE-2014-3497)
CVE-2014-3497 XSS in Swift requests through WWW-Authenticate header



About   -   Send Feedback to @ubuntu_updates