Date: Wed, 26 Aug 2015 20:22:48 +0000 From: Tristan Cacqueray <tdecacqu@...hat.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2015-016] Information leak via Swift tempurls (CVE-2015-5223) ================================================== OSSA-2015-016: Information leak via Swift tempurls ================================================== :Date: August 26, 2015 :CVE: CVE-2015-5223 Affects ~~~~~~~ - Swift: versions through 2.3.0 Description ~~~~~~~~~~~ Richard Hawkins from Rackspace and Swift core reviewers reported a vulnerability in Swift tempurls. When in possession of a tempurl key authorized for PUT, a malicious actor may retrieve other objects in the same Swift account (tenant). All Swift setups are affected. Patches ~~~~~~~ - https://review.openstack.org/217253 (Juno) - https://review.openstack.org/217254 (Kilo) - https://review.openstack.org/217255 (Kilo) - https://review.openstack.org/217259 (Liberty) - https://review.openstack.org/217260 (Liberty) Credits ~~~~~~~ - Richard Hawkins from Rackspace (CVE-2015-5223) - Swift core reviewers from OpenStack (CVE-2015-5223) References ~~~~~~~~~~ - https://launchpad.net/bugs/1453948 - https://launchpad.net/bugs/1449212 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5223 Notes ~~~~~ - This fix will be included in future 2014.2.4 (juno) and 2015.1.2 (kilo) releases. -- Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ