From ${URL} : OpenStack Security Advisory: 2013-016 CVE: CVE-2013-2161 Date: June 13, 2013 Title: Unchecked user input in Swift XML responses Reporter: Alex Gaynor (Rackspace) Products: Swift Affects: All versions Description: Alex Gaynor from Rackspace reported a vulnerability in XML handling within Swift account servers. Account strings were unescaped in XML listings, and an attacker could potentially generate unparsable or arbitrary XML responses which may be used to leverage other vulnerabilities in the calling software. Havana (development branch) fix: https://review.openstack.org/32905 Grizzly fix: https://review.openstack.org/32909 Folsom fix: https://review.openstack.org/32911 Notes: This fix will be included in the next release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2161 https://bugs.launchpad.net/swift/+bug/1183884 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
already fixed
Is there anything to do here? I don't think this bug should be open, but since I'm not on the sec team I don't want to close this myself...
(In reply to Matthew Thode ( prometheanfire ) from comment #2) > Is there anything to do here? Yes, fill in the rest of the bug report. > I don't think this bug should be open, Not anymore. > but since I'm not on the sec team I don't want to close this myself... We don't mind the help :D Closing noglsa for ~arch only.
CVE-2013-2161 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2161): XML injection vulnerability in account/utils.py in OpenStack Swift Folsom, Grizzly, and Havana allows attackers to trigger invalid or spoofed Swift responses via an account name.
