Security update for openstack-swift
SUSE Patch
security@suse.de
SUSE Security Team
SUSE-SU-2015:1846-1
Final
1
1
2015-10-19T09:00:52Z
current
2015-10-19T09:00:52Z
2015-10-19T09:00:52Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for openstack-swift
openstack-swift was updated to fix three security issues.
These security issues were fixed:
- CVE-2015-1856: OpenStack Object Storage (Swift), when allow_version is configured, allowed remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container (bsc#927793).
- CVE-2014-7960: OpenStack Object Storage (Swift) allowed remote authenticated users to bypass the max_meta_count and other metadata constraints via multiple crafted requests which exceed the limit when combined (bsc#900253).
- CVE-2015-5223: Information leak via Swift tempurls (bsc#942641).
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
sleclo50sp3-openstack-swift-12171
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://www.suse.com/support/update/announcement/2015/suse-su-20151846-1/
Link for SUSE-SU-2015:1846-1
https://lists.suse.com/pipermail/sle-security-updates/2015-October/001652.html
E-Mail link for SUSE-SU-2015:1846-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/900253
SUSE Bug 900253
https://bugzilla.suse.com/927793
SUSE Bug 927793
https://bugzilla.suse.com/942641
SUSE Bug 942641
https://www.suse.com/security/cve/CVE-2014-7960/
SUSE CVE CVE-2014-7960 page
https://www.suse.com/security/cve/CVE-2015-1856/
SUSE CVE CVE-2015-1856 page
https://www.suse.com/security/cve/CVE-2015-5223/
SUSE CVE CVE-2015-5223 page
SUSE OpenStack Cloud 5
openstack-swift-2.1.0-11.1
openstack-swift-account-2.1.0-11.1
openstack-swift-container-2.1.0-11.1
openstack-swift-doc-2.1.0-11.1
openstack-swift-object-2.1.0-11.1
openstack-swift-proxy-2.1.0-11.1
python-swift-2.1.0-11.1
openstack-swift-2.1.0-11.1 as a component of SUSE OpenStack Cloud 5
openstack-swift-account-2.1.0-11.1 as a component of SUSE OpenStack Cloud 5
openstack-swift-container-2.1.0-11.1 as a component of SUSE OpenStack Cloud 5
openstack-swift-doc-2.1.0-11.1 as a component of SUSE OpenStack Cloud 5
openstack-swift-object-2.1.0-11.1 as a component of SUSE OpenStack Cloud 5
openstack-swift-proxy-2.1.0-11.1 as a component of SUSE OpenStack Cloud 5
python-swift-2.1.0-11.1 as a component of SUSE OpenStack Cloud 5
OpenStack Object Storage (Swift) before 2.2.0 allows remote authenticated users to bypass the max_meta_count and other metadata constraints via multiple crafted requests which exceed the limit when combined.
CVE-2014-7960
SUSE OpenStack Cloud 5:openstack-swift-2.1.0-11.1
SUSE OpenStack Cloud 5:openstack-swift-account-2.1.0-11.1
SUSE OpenStack Cloud 5:openstack-swift-container-2.1.0-11.1
SUSE OpenStack Cloud 5:openstack-swift-doc-2.1.0-11.1
SUSE OpenStack Cloud 5:openstack-swift-object-2.1.0-11.1
SUSE OpenStack Cloud 5:openstack-swift-proxy-2.1.0-11.1
SUSE OpenStack Cloud 5:python-swift-2.1.0-11.1
important
4
AV:N/AC:L/Au:S/C:N/I:N/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2015/suse-su-20151846-1/
https://www.suse.com/security/cve/CVE-2014-7960.html
CVE-2014-7960
https://bugzilla.suse.com/900253
SUSE Bug 900253
https://bugzilla.suse.com/927793
SUSE Bug 927793
OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container.
CVE-2015-1856
SUSE OpenStack Cloud 5:openstack-swift-2.1.0-11.1
SUSE OpenStack Cloud 5:openstack-swift-account-2.1.0-11.1
SUSE OpenStack Cloud 5:openstack-swift-container-2.1.0-11.1
SUSE OpenStack Cloud 5:openstack-swift-doc-2.1.0-11.1
SUSE OpenStack Cloud 5:openstack-swift-object-2.1.0-11.1
SUSE OpenStack Cloud 5:openstack-swift-proxy-2.1.0-11.1
SUSE OpenStack Cloud 5:python-swift-2.1.0-11.1
important
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2015/suse-su-20151846-1/
https://www.suse.com/security/cve/CVE-2015-1856.html
CVE-2015-1856
https://bugzilla.suse.com/927793
SUSE Bug 927793
OpenStack Object Storage (Swift) before 2.4.0 allows attackers to obtain sensitive information via a PUT tempurl and a DLO object manifest that references an object in another container.
CVE-2015-5223
SUSE OpenStack Cloud 5:openstack-swift-2.1.0-11.1
SUSE OpenStack Cloud 5:openstack-swift-account-2.1.0-11.1
SUSE OpenStack Cloud 5:openstack-swift-container-2.1.0-11.1
SUSE OpenStack Cloud 5:openstack-swift-doc-2.1.0-11.1
SUSE OpenStack Cloud 5:openstack-swift-object-2.1.0-11.1
SUSE OpenStack Cloud 5:openstack-swift-proxy-2.1.0-11.1
SUSE OpenStack Cloud 5:python-swift-2.1.0-11.1
important
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2015/suse-su-20151846-1/
https://www.suse.com/security/cve/CVE-2015-5223.html
CVE-2015-5223
https://bugzilla.suse.com/942641
SUSE Bug 942641