Package "swift-object-expirer"
Name: |
swift-object-expirer
|
Description: |
distributed virtual object store - object expirer
|
Latest version: |
1.13.1-0ubuntu1.5 |
Release: |
trusty (14.04) |
Level: |
security |
Repository: |
universe |
Head package: |
swift |
Homepage: |
http://launchpad.net/swift |
Links
Download "swift-object-expirer"
Other versions of "swift-object-expirer" in Trusty
Changelog
swift (1.13.1-0ubuntu1.5) trusty-security; urgency=medium
[ Jamie Strandboge ]
* SECURITY UPDATE: disallow unsafe tempurl operations to point to
unauthorized data
- debian/patches/CVE-2015-5223.patch: disallow creation of DLO object
manifests if non-safe tempurl request includes X-Object-Manifest header
- CVE-2015-5223
- LP: #1453948
[ Marc Deslauriers ]
* SECURITY UPDATE: DoS via incorrectly closed client connections
- debian/patches/CVE-2016-0737.patch: get better at closing WSGI
iterables in swift/common/middleware/dlo.py,
swift/common/middleware/slo.py, swift/common/request_helpers.py,
swift/common/swob.py, swift/common/utils.py,
test/unit/common/middleware/helpers.py,
test/unit/common/middleware/test_dlo.py,
test/unit/common/middleware/test_slo.py.
- CVE-2016-0737
* SECURITY UPDATE: DoS via incorrectly closed server connections
- debian/patches/CVE-2016-0738.patch: fix memory/socket leak in proxy
on truncated SLO/DLO GET in swift/common/request_helpers.py,
test/unit/common/middleware/test_slo.py.
- CVE-2016-0738
* Thanks to Red Hat for the patch backports!
* debian/patches/fix-ubuntu-tests.patch: disable another test that no
longer works on buildds.
-- Marc Deslauriers <email address hidden> Tue, 12 Sep 2017 07:36:43 -0400
|
Source diff to previous version |
1453948 |
[OSSA 2015-016] all PUT tempurls leak existence via DLO manifest attack (CVE-2015-5223) |
CVE-2015-5223 |
OpenStack Object Storage (Swift) before 2.4.0 allows attackers to obtain sensitive information via a PUT tempurl and a DLO object manifest that refer |
CVE-2016-0737 |
OpenStack Object Storage (Swift) before 2.4.0 does not properly close client connections, which allows remote attackers to cause a denial of service |
CVE-2016-0738 |
OpenStack Object Storage (Swift) before 2.3.1 (Kilo), 2.4.x, and 2.5.x before 2.5.1 (Liberty) do not properly close server connections, which allows |
|
swift (1.13.1-0ubuntu1.2) trusty-security; urgency=medium
* SECURITY UPDATE: metadata constraint bypass via multiple requests
- debian/patches/CVE-2014-7960.patch: add metadata checks to
swift/account/server.py, swift/common/constraints.py,
swift/common/db.py, swift/container/server.py, added tests to
test/functional/test_account.py, test/functional/test_container.py,
test/unit/common/test_db.py.
- CVE-2014-7960
* SECURITY UPDATE: object deletion via x-versions-location container
- debian/patches/CVE-2015-1856.patch: prevent unauthorized delete in
swift/proxy/controllers/obj.py, added tests to
test/functional/tests.py, test/unit/proxy/test_server.py.
- CVE-2015-1856
-- Marc Deslauriers Wed, 22 Jul 2015 11:03:05 -0400
|
Source diff to previous version |
CVE-2014-7960 |
OpenStack Object Storage (Swift) before 2.2.0 allows remote authenticated users to bypass the max_meta_count and other metadata constraints via multi |
CVE-2015-1856 |
OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an |
|
swift (1.13.1-0ubuntu1.1) trusty-security; urgency=medium
* SECURITY UPDATE: properly quote www-authenticate header value
- debian/patches/CVE-2014-3497.patch: urllib2.quote() the Swift realm in
swift/common/swob.py
- CVE-2014-3497
- LP: #1327414
-- Jamie Strandboge <email address hidden> Tue, 24 Jun 2014 07:08:11 -0500
|
1327414 |
[OSSA 2014-020] www-authenticate value isn't quoted (CVE-2014-3497) |
CVE-2014-3497 |
XSS in Swift requests through WWW-Authenticate header |
|
About
-
Send Feedback to @ubuntu_updates