| Summary: | <sys-cluster/swift-{1.13.0-r1,1.13.1-r1}: XSS in requests through WWW-Authenticate header (CVE-2014-3497) (OSSA 2014-020) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2014/06/19/10 | ||
| Whiteboard: | ~4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
ww.openwall.com/lists/oss-security/2014/06/19/10 cites Juno (development branch) fix: https://review.openstack.org/101031 Icehouse (1.13.*) fix: https://review.openstack.org/101032 which leaves out the swift-1.12.0 whatever that was called again. ~/cvsPortage/gentoo-x86/sys-cluster/swift $ sudo ebuild swift-1.13.[0,1]1-r1.ebuild clean install yields >>> Completed installing swift-1.13.1 into /var/tmp/portage/portage/sys-cluster/swift-1.13.[0,1]-r1/image/ This suggests the swift-1.12.0.ebuild may need purging however I don't see it listed as a vulnerable version which is normally done. Therefore I leave purging of versions needing purging to Matthew who is fully versed. 24 Jun 2014; Ian Delaney <idella4@gentoo.org> -swift-1.13.0.ebuild, -swift-1.13.1.ebuild: rm these vulnerable versions wrt Bug #513864 *swift-1.13.0-r1 (24 Jun 2014) *swift-1.13.1-r1 (24 Jun 2014) 24 Jun 2014; Ian Delaney <idella4@gentoo.org> +files/CVE-2014-3497-1.13.patch, +swift-1.13.0-r1.ebuild, +swift-1.13.1-r1.ebuild: revbump; add sec. patch wrt Bug #513864 24 Jun 2014; Ian Delaney <idella4@gentoo.org> -swift-1.12.0.ebuild: rm old Maintainer(s), Thank you for cleanup! No GLSA needed as there are no stable versions. |
From ${URL} : OpenStack Security Advisory: 2014-020 CVE: CVE-2014-3497 Date: June 19, 2014 Title: XSS in Swift requests through WWW-Authenticate header Reporter: Globo.com Security Team Products: Swift Versions: 1.11.0 to 1.13.1 Description: Globo.com Security Team reported a vulnerability in Swift's header value escaping. By tricking a Swift user into clicking a malicious URL, a remote attacker may inject data in Swift response while still appearing to come from the Swift server, potentially leading to other client-side vulnerabilities. All Swift setups are affected. Juno (development branch) fix: https://review.openstack.org/101031 Icehouse (1.13.*) fix: https://review.openstack.org/101032 Notes: This fix will be included in the upcoming 2.0.0 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3497 https://launchpad.net/bugs/1327414 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.