Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 14 Apr 2015 14:53:59 -0400
From: Tristan Cacqueray <tristan.cacqueray@...vance.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2015-006] Unauthorized delete of versioned Swift object (CVE-2015-1856)

============================================================
OSSA-2015-006: Unauthorized delete of versioned Swift object
============================================================

:Date: April 14, 2015
:CVE: CVE-2015-1856


Affects
~~~~~~~
- Swift: versions through 2.2.2


Description
~~~~~~~~~~~
Clay Gerrard from SwiftStack reported a vulnerability in Swift object
versioning. An authenticated user can delete the most recent version
of any versioned object whose name is known if the user have listing
access to the x-versions-location container. Only Swift setups with
allow_version setting are affected.


Patches
~~~~~~~
- https://review.openstack.org/173366 (Icehouse)
- https://review.openstack.org/173363 (Juno)
- https://review.openstack.org/173361 (Kilo)


Credits
~~~~~~~
- Clay Gerrard from SwiftStack (CVE-2015-1856)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1430645
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1856


Notes
~~~~~
- This fix will be included in the upcoming 2.3.0 release.

--
Tristan Cacqueray
OpenStack Vulnerability Management Team


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.