Date: Wed, 26 Aug 2015 20:22:48 +0000 From: Tristan Cacqueray <tdecacqu@...hat.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2015-016] Information leak via Swift tempurls (CVE-2015-5223) ================================================== OSSA-2015-016: Information leak via Swift tempurls ================================================== :Date: August 26, 2015 :CVE: CVE-2015-5223 Affects ~~~~~~~ - Swift: versions through 2.3.0 Description ~~~~~~~~~~~ Richard Hawkins from Rackspace and Swift core reviewers reported a vulnerability in Swift tempurls. When in possession of a tempurl key authorized for PUT, a malicious actor may retrieve other objects in the same Swift account (tenant). All Swift setups are affected. Patches ~~~~~~~ - https://review.openstack.org/217253 (Juno) - https://review.openstack.org/217254 (Kilo) - https://review.openstack.org/217255 (Kilo) - https://review.openstack.org/217259 (Liberty) - https://review.openstack.org/217260 (Liberty) Credits ~~~~~~~ - Richard Hawkins from Rackspace (CVE-2015-5223) - Swift core reviewers from OpenStack (CVE-2015-5223) References ~~~~~~~~~~ - https://launchpad.net/bugs/1453948 - https://launchpad.net/bugs/1449212 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5223 Notes ~~~~~ - This fix will be included in future 2014.2.4 (juno) and 2015.1.2 (kilo) releases. -- Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.