Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 572460 (CVE-2016-0737, CVE-2016-0738)

Summary: <sys-cluster/swift-2.5.0-r2 - Swift proxy-server DoS through Large Object (CVE-2016-{0737,0738})
Product: Gentoo Security Reporter: Matthew Thode ( prometheanfire ) <prometheanfire>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://review.openstack.org/#/c/217750/
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-01-20 17:26:19 UTC 
Romain LE DISEZ from OVH and Örjan Persson from Kiliaro independently
reported two vulnerabilities in Swift Large Object. By repeatedly
requesting and interrupting connections to a Large Object (Dynamic or
Static) URL, a remote attacker may exhausts Swift proxy-server
resources, potentially resulting in a denial of service. Note that there
are two distinct bugs that can exhaust proxy resources, one for client
connection (client to proxy CVE-2016-0737), one for servers connection
(proxy to server CVE-2016-0738). All Swift setups are affected.


arches, please stablize =sys-cluster/swift-2.5.0-r2
Comment 1 Agostino Sarubbo gentoo-dev 2016-01-21 13:20:43 UTC 
amd64 stable
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-02-10 01:17:43 UTC 
allarches stable (should have put that in before), cleaned up
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-06-30 11:48:10 UTC 
CVE-2016-0738 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0738):
  OpenStack Object Storage (Swift) before 2.3.1 (Kilo), 2.4.x, and 2.5.x
  before 2.5.1 (Liberty) do not properly close server connections, which
  allows remote attackers to cause a denial of service (proxy-server resource
  consumption) via a series of interrupted requests to a Large Object URL.

CVE-2016-0737 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0737):
  OpenStack Object Storage (Swift) before 2.4.0 does not properly close client
  connections, which allows remote attackers to cause a denial of service
  (proxy-server resource consumption) via a series of interrupted requests to
  a Large Object URL.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-06-30 11:49:31 UTC 
GLSA Vote: No