OpenStack Security Advisory: 2014-034 CVE: CVE-2014-7960 Date: October 09, 2014 Title: Swift metadata constraints are not correctly enforced Reporter: Rajaneesh Singh Products: Swift Versions: up to 2.1.0 Description: Rajaneesh Singh reported a vulnerability in the way Swift enforces metadata constraints. By adding metadata in several separate calls, an authenticated attacker can bypass the max_meta_count constraint, potentially resulting in the storage of more metadata than allowed in configuration. Juno (development branch) fix: https://review.openstack.org/125360 Icehouse fix: https://review.openstack.org/126645 Notes: This fix will be included in the upcoming 2.2.0 Juno release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7960 https://launchpad.net/bugs/1365350 -- Thierry Carrez OpenStack Vulnerability Management Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20141009/7276044d/attachment.pgp>