Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 07 Aug 2013 17:48:28 +0200
From: Thierry Carrez <thierry@...nstack.org>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2013-022] Swift Denial of Service using superfluous object
 tombstones (CVE-2013-4155)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-022
CVE: CVE-2013-4155
Date: August 7, 2013
Title: Swift Denial of Service using superfluous object tombstones
Reporter: Peter Portante (Red Hat)
Products: Swift
Affects: All versions

Description:
Peter Portante from Red Hat reported a vulnerability in Swift. By
issuing requests with an old X-Timestamp value, an authenticated
attacker can fill an object server with superfluous object tombstones,
which may significantly slow down subsequent requests to that object
server, facilitating a Denial of Service attack against Swift clusters.

Havana (development branch) fix:
https://review.openstack.org/40643

Grizzly fix:
https://review.openstack.org/40645

Folsom fix:
https://review.openstack.org/40646

Note:
The havana fix will be included in the upcoming Swift 1.9.1 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4155
https://bugs.launchpad.net/swift/+bug/1196932

Regards,

- -- 
Thierry Carrez
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJSAmxMAAoJEFB6+JAlsQQjHnAP/3Q1paJhRVmqLqMgH/+1aey+
5tzafCJP/YwRdjRi3l27MgIVoKk9sqVr3jxpaSDVFZ2iKD3wqcb28cYa8tqRGLsV
gkb0nCePG/HQjcfE58Up+1otH/vMqoZTjLzQfUWPAWZASCm6vFSIcepdyi4WMIiM
Rfv1E+Mjf9esNBT7fHgfNW4wrJbut+j4pU9sqzZS13KE2pbdKi8URsF1Pt77QXz5
PtgfvGiIlkwQQ18Y0VMyGj50uWF36J3YXt1k6L4qa9SXd+HAx5yRq+QPdPPHgUrv
S3WDi+lAlhZa47K7fDUzR9Ytr25JSa1L48cJp2e8Lw5RNSGjZd9UJp5ZGvlK0ZFl
fb3gktBu+4KzJ6jiCV7kQXSxTVMcICjFF35v0Y6pLCmTOeYtcri1VoT9CV0mdo+f
85BxCcykaE1EQbPW+OpO5S6LoGpb0WBCYvcqrQr05I7Y0qIdUz4WucsheWDx2kSm
o6ZaZedc1k397WLZt2WTaqQFgoFh2fN9gp+syseFItCi+zlQOyMkCCm3ORvnmGuE
7fR0998XTRzzW1b8Z9a8QWWyXVmHqZ7oqu4yRsGxbyZG+4ckX+XsRwqf/C3DJNdw
fZTXbvnEgxnO18Cq5ki4EbJrk70vW45TtJ7kSWGbwSEcZ/Ju4A1fncK4ESd/cMf7
2hcM7moWaAcdUSCEII7O
=AwQ5
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.