Romain LE DISEZ from OVH and Örjan Persson from Kiliaro independently reported two vulnerabilities in Swift Large Object. By repeatedly requesting and interrupting connections to a Large Object (Dynamic or Static) URL, a remote attacker may exhausts Swift proxy-server resources, potentially resulting in a denial of service. Note that there are two distinct bugs that can exhaust proxy resources, one for client connection (client to proxy CVE-2016-0737), one for servers connection (proxy to server CVE-2016-0738). All Swift setups are affected. arches, please stablize =sys-cluster/swift-2.5.0-r2
amd64 stable
allarches stable (should have put that in before), cleaned up
CVE-2016-0738 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0738): OpenStack Object Storage (Swift) before 2.3.1 (Kilo), 2.4.x, and 2.5.x before 2.5.1 (Liberty) do not properly close server connections, which allows remote attackers to cause a denial of service (proxy-server resource consumption) via a series of interrupted requests to a Large Object URL. CVE-2016-0737 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0737): OpenStack Object Storage (Swift) before 2.4.0 does not properly close client connections, which allows remote attackers to cause a denial of service (proxy-server resource consumption) via a series of interrupted requests to a Large Object URL.
GLSA Vote: No