From ${URL} : OpenStack Security Advisory: 2014-020 CVE: CVE-2014-3497 Date: June 19, 2014 Title: XSS in Swift requests through WWW-Authenticate header Reporter: Globo.com Security Team Products: Swift Versions: 1.11.0 to 1.13.1 Description: Globo.com Security Team reported a vulnerability in Swift's header value escaping. By tricking a Swift user into clicking a malicious URL, a remote attacker may inject data in Swift response while still appearing to come from the Swift server, potentially leading to other client-side vulnerabilities. All Swift setups are affected. Juno (development branch) fix: https://review.openstack.org/101031 Icehouse (1.13.*) fix: https://review.openstack.org/101032 Notes: This fix will be included in the upcoming 2.0.0 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3497 https://launchpad.net/bugs/1327414 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
ww.openwall.com/lists/oss-security/2014/06/19/10 cites Juno (development branch) fix: https://review.openstack.org/101031 Icehouse (1.13.*) fix: https://review.openstack.org/101032 which leaves out the swift-1.12.0 whatever that was called again. ~/cvsPortage/gentoo-x86/sys-cluster/swift $ sudo ebuild swift-1.13.[0,1]1-r1.ebuild clean install yields >>> Completed installing swift-1.13.1 into /var/tmp/portage/portage/sys-cluster/swift-1.13.[0,1]-r1/image/ This suggests the swift-1.12.0.ebuild may need purging however I don't see it listed as a vulnerable version which is normally done. Therefore I leave purging of versions needing purging to Matthew who is fully versed. 24 Jun 2014; Ian Delaney <idella4@gentoo.org> -swift-1.13.0.ebuild, -swift-1.13.1.ebuild: rm these vulnerable versions wrt Bug #513864 *swift-1.13.0-r1 (24 Jun 2014) *swift-1.13.1-r1 (24 Jun 2014) 24 Jun 2014; Ian Delaney <idella4@gentoo.org> +files/CVE-2014-3497-1.13.patch, +swift-1.13.0-r1.ebuild, +swift-1.13.1-r1.ebuild: revbump; add sec. patch wrt Bug #513864
24 Jun 2014; Ian Delaney <idella4@gentoo.org> -swift-1.12.0.ebuild: rm old
Maintainer(s), Thank you for cleanup! No GLSA needed as there are no stable versions.