Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 572460 (CVE-2016-0737, CVE-2016-0738) - <sys-cluster/swift-2.5.0-r2 - Swift proxy-server DoS through Large Object (CVE-2016-{0737,0738})
Summary: <sys-cluster/swift-2.5.0-r2 - Swift proxy-server DoS through Large Object (CV...
Status: RESOLVED FIXED
Alias: CVE-2016-0737, CVE-2016-0738
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://review.openstack.org/#/c/217750/
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-20 17:26 UTC by Matthew Thode ( prometheanfire )
Modified: 2016-06-30 11:49 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-01-20 17:26:19 UTC 
Romain LE DISEZ from OVH and Örjan Persson from Kiliaro independently
reported two vulnerabilities in Swift Large Object. By repeatedly
requesting and interrupting connections to a Large Object (Dynamic or
Static) URL, a remote attacker may exhausts Swift proxy-server
resources, potentially resulting in a denial of service. Note that there
are two distinct bugs that can exhaust proxy resources, one for client
connection (client to proxy CVE-2016-0737), one for servers connection
(proxy to server CVE-2016-0738). All Swift setups are affected.


arches, please stablize =sys-cluster/swift-2.5.0-r2
Comment 1 Agostino Sarubbo gentoo-dev 2016-01-21 13:20:43 UTC 
amd64 stable
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-02-10 01:17:43 UTC 
allarches stable (should have put that in before), cleaned up
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-06-30 11:48:10 UTC 
CVE-2016-0738 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0738):
  OpenStack Object Storage (Swift) before 2.3.1 (Kilo), 2.4.x, and 2.5.x
  before 2.5.1 (Liberty) do not properly close server connections, which
  allows remote attackers to cause a denial of service (proxy-server resource
  consumption) via a series of interrupted requests to a Large Object URL.

CVE-2016-0737 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0737):
  OpenStack Object Storage (Swift) before 2.4.0 does not properly close client
  connections, which allows remote attackers to cause a denial of service
  (proxy-server resource consumption) via a series of interrupted requests to
  a Large Object URL.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-06-30 11:49:31 UTC 
GLSA Vote: No