Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 513864 (CVE-2014-3497) - <sys-cluster/swift-{1.13.0-r1,1.13.1-r1}: XSS in requests through WWW-Authenticate header (CVE-2014-3497) (OSSA 2014-020)
Summary: <sys-cluster/swift-{1.13.0-r1,1.13.1-r1}: XSS in requests through WWW-Authent...
Status: RESOLVED FIXED
Alias: CVE-2014-3497
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-19 14:56 UTC by Agostino Sarubbo
Modified: 2014-06-26 05:11 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-06-19 14:56:57 UTC 
From ${URL} :

OpenStack Security Advisory: 2014-020
CVE: CVE-2014-3497
Date: June 19, 2014
Title: XSS in Swift requests through WWW-Authenticate header
Reporter: Globo.com Security Team
Products: Swift
Versions: 1.11.0 to 1.13.1

Description:
Globo.com Security Team reported a vulnerability in Swift's header value
escaping. By tricking a Swift user into clicking a malicious URL, a
remote attacker may inject data in Swift response while still appearing
to come from the Swift server, potentially leading to other client-side
vulnerabilities. All Swift setups are affected.

Juno (development branch) fix:
https://review.openstack.org/101031

Icehouse (1.13.*) fix:
https://review.openstack.org/101032

Notes:
This fix will be included in the upcoming 2.0.0 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3497
https://launchpad.net/bugs/1327414



@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2014-06-24 09:58:25 UTC 
ww.openwall.com/lists/oss-security/2014/06/19/10

cites

Juno (development branch) fix:
https://review.openstack.org/101031

Icehouse (1.13.*) fix:
https://review.openstack.org/101032

which leaves out the swift-1.12.0 whatever that was called again.

~/cvsPortage/gentoo-x86/sys-cluster/swift $ sudo ebuild swift-1.13.[0,1]1-r1.ebuild clean install
yields
>>> Completed installing swift-1.13.1 into /var/tmp/portage/portage/sys-cluster/swift-1.13.[0,1]-r1/image/

This suggests the swift-1.12.0.ebuild may need purging however I don't see it listed as a vulnerable version which is normally done.  Therefore I leave purging of versions needing purging to Matthew who is fully versed.

  24 Jun 2014; Ian Delaney <idella4@gentoo.org> -swift-1.13.0.ebuild,
  -swift-1.13.1.ebuild:
  rm these vulnerable versions wrt Bug #513864

*swift-1.13.0-r1 (24 Jun 2014)
*swift-1.13.1-r1 (24 Jun 2014)

  24 Jun 2014; Ian Delaney <idella4@gentoo.org> +files/CVE-2014-3497-1.13.patch,
  +swift-1.13.0-r1.ebuild, +swift-1.13.1-r1.ebuild:
  revbump; add sec. patch wrt Bug #513864
Comment 2 Ian Delaney (RETIRED) gentoo-dev 2014-06-24 15:09:42 UTC 
  24 Jun 2014; Ian Delaney <idella4@gentoo.org> -swift-1.12.0.ebuild:
  rm old
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-06-26 05:11:13 UTC 
Maintainer(s), Thank you for cleanup!

No GLSA needed as there are no stable versions.