From ${URL} : OpenStack Security Advisory: 2013-022 CVE: CVE-2013-4155 Date: August 7, 2013 Title: Swift Denial of Service using superfluous object tombstones Reporter: Peter Portante (Red Hat) Products: Swift Affects: All versions Description: Peter Portante from Red Hat reported a vulnerability in Swift. By issuing requests with an old X-Timestamp value, an authenticated attacker can fill an object server with superfluous object tombstones, which may significantly slow down subsequent requests to that object server, facilitating a Denial of Service attack against Swift clusters. Havana (development branch) fix: https://review.openstack.org/40643 Grizzly fix: https://review.openstack.org/40645 Folsom fix: https://review.openstack.org/40646 Note: The havana fix will be included in the upcoming Swift 1.9.1 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4155 https://bugs.launchpad.net/swift/+bug/1196932 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
1.9.1 is scheduled to be released on the 13th of this month. I will fix it then (in my calendar :D)
fixed in tree. added sys-cluster/swift-1.9.1 and sys-cluster/swift-1.8.0-r3 (which has the grizzly patch). removed bad versions as a note, git master has the patch (9999) and grizzly-stable has the patch (swift-2013.1.9999.ebuild). removing myself from cc, add me if I missed something
Closing noglsa.
CVE-2013-4155 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4155): OpenStack Swift before 1.9.1 in Folsom, Grizzly, and Havana allows authenticated users to cause a denial of service ("superfluous" tombstone consumption and Swift cluster slowdown) via a DELETE request with a timestamp that is older than expected.
