Ubuntu Security Notice 2704-1 - Rajaneesh Singh discovered Swift does not properly enforce metadata limits. An attacker could abuse this issue to store more metadata than allowed by policy. Clay Gerrard discovered Swift allowed users to delete the latest version of object regardless of object permissions when allow_version is configured. An attacker could use this issue to delete objects. Various other issues were also addressed.
8db03feeaa7eb981bf4b8d968079bfd997f069ce59de6319218290165007e54c
==========================================================================
Ubuntu Security Notice USN-2704-1
August 06, 2015
swift vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Swift.
Software Description:
- swift: OpenStack distributed virtual object store
Details:
Rajaneesh Singh discovered Swift does not properly enforce metadata
limits. An attacker could abuse this issue to store more metadata than
allowed by policy. (CVE-2014-7960)
Clay Gerrard discovered Swift allowed users to delete the latest version
of object regardless of object permissions when allow_version is
configured. An attacker could use this issue to delete objects.
(CVE-2015-1856)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
swift 2.2.2-0ubuntu1.3
Ubuntu 14.04 LTS:
swift 1.13.1-0ubuntu1.2
Ubuntu 12.04 LTS:
swift 1.4.8-0ubuntu2.5
After a standard system update you need to restart swift to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2704-1
CVE-2014-7960, CVE-2015-1856
Package Information:
https://launchpad.net/ubuntu/+source/swift/2.2.2-0ubuntu1.3
https://launchpad.net/ubuntu/+source/swift/1.13.1-0ubuntu1.2
https://launchpad.net/ubuntu/+source/swift/1.4.8-0ubuntu2.5