Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 09 Oct 2014 14:44:49 +0200
From: Thierry Carrez <thierry@...nstack.org>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2014-034] Swift metadata constraints are not correctly enforced
 (CVE-2014-7960)

OpenStack Security Advisory: 2014-034
CVE: CVE-2014-7960
Date: October 09, 2014
Title: Swift metadata constraints are not correctly enforced
Reporter: Rajaneesh Singh
Products: Swift
Versions: up to 2.1.0

Description:
Rajaneesh Singh reported a vulnerability in the way Swift enforces
metadata constraints. By adding metadata in several separate calls, an
authenticated attacker can bypass the max_meta_count constraint,
potentially resulting in the storage of more metadata than allowed in
configuration.

Juno (development branch) fix:
https://review.openstack.org/125360

Icehouse fix:
https://review.openstack.org/126645

Notes:
This fix will be included in the upcoming 2.2.0 Juno release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7960
https://launchpad.net/bugs/1365350

--
Thierry Carrez
OpenStack Vulnerability Management Team


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.