Date: Tue, 14 Apr 2015 14:53:59 -0400 From: Tristan Cacqueray <tristan.cacqueray@...vance.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2015-006] Unauthorized delete of versioned Swift object (CVE-2015-1856) ============================================================ OSSA-2015-006: Unauthorized delete of versioned Swift object ============================================================ :Date: April 14, 2015 :CVE: CVE-2015-1856 Affects ~~~~~~~ - Swift: versions through 2.2.2 Description ~~~~~~~~~~~ Clay Gerrard from SwiftStack reported a vulnerability in Swift object versioning. An authenticated user can delete the most recent version of any versioned object whose name is known if the user have listing access to the x-versions-location container. Only Swift setups with allow_version setting are affected. Patches ~~~~~~~ - https://review.openstack.org/173366 (Icehouse) - https://review.openstack.org/173363 (Juno) - https://review.openstack.org/173361 (Kilo) Credits ~~~~~~~ - Clay Gerrard from SwiftStack (CVE-2015-1856) References ~~~~~~~~~~ - https://launchpad.net/bugs/1430645 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1856 Notes ~~~~~ - This fix will be included in the upcoming 2.3.0 release. -- Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.