553610 – <sys-cluster/swift-2.3.0: Unauthorized delete of versioned Swift object (CVE-2015-1856)

Bug 553610 - <sys-cluster/swift-2.3.0: Unauthorized delete of versioned Swift object (CVE-2015-1856)

Summary: <sys-cluster/swift-2.3.0: Unauthorized delete of versioned Swift object (CVE-...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2015-06-30 00:09 UTC by GLSAMaker/CVETool Bot
Modified:	2015-06-30 00:09 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2015-06-30 00:09:04 UTC

CVE-2015-1856 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1856):
  OpenStack Object Storage (Swift) before 2.3.0, when allow_version is
  configured, allows remote authenticated users to delete the latest version
  of an object by leveraging listing access to the x-versions-location
  container.

Comment 1 Sean Amoss (RETIRED) gentoo-dev

2015-06-30 00:09:35 UTC

*swift-2.2.2-r1 (14 Apr 2015)
	
	  14 Apr 2015; Matthew Thode <prometheanfire@gentoo.org>
	  +files/cve-2015-1856-master-kilo.patch, +swift-2.2.2-r1.ebuild,
	  -swift-2.2.0.ebuild, -swift-2.2.2.ebuild:
	  fixing cve-2015-1856