-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2013-022 CVE: CVE-2013-4155 Date: August 7, 2013 Title: Swift Denial of Service using superfluous object tombstones Reporter: Peter Portante (Red Hat) Products: Swift Affects: All versions Description: Peter Portante from Red Hat reported a vulnerability in Swift. By issuing requests with an old X-Timestamp value, an authenticated attacker can fill an object server with superfluous object tombstones, which may significantly slow down subsequent requests to that object server, facilitating a Denial of Service attack against Swift clusters. Havana (development branch) fix: https://review.openstack.org/40643 Grizzly fix: https://review.openstack.org/40645 Folsom fix: https://review.openstack.org/40646 Note: The havana fix will be included in the upcoming Swift 1.9.1 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4155 https://bugs.launchpad.net/swift/+bug/1196932 Regards, - -- Thierry Carrez OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJSAmwaAAoJEFB6+JAlsQQjgbEP/2hCZIRuMQoMPCcPg1LzA2PR BIOGBII7jXTjc/ku5/E29kTL2GwtiHC6PLezXdlGQFcLdJV4wi8Tq4OtVwFDEhHz 8wIhFVzKyPP1N9kktWH80PXhYUVECffuhL3+GKGcIMkz8+BPUj5EKeEHAZpkVw+S bu37N3IB5kpBN2riNBo+7BciKK81fXvJh5QH9T10pee6VrQMYk+fyAITPD91Ft1S ramVEM+L9m0n4oDXSg9bTuKdACPxNqR1ftn3AIS2xJFNz0jeECuI6bV/6MPpCtds 0bVDjgZfidz3LDvY/1LsUKGSAkcVViWCxYqYgZYFnnnGKgopPcvOzGXM2zZ5EHMa ypciysUSJ/HC4jQpmqNBmHbaHHaWIhO5krVC4Soh2Kj4gA5YgUFi2ybKkKo/RLpm THHjgo8bfCVdnVZMt+BjkGGXvNenv3tsE8ByfEKWZ+AGf0CcZGih5ONtRRgLsiew vC4p0haonrHkzWqNusdtXZcEXdEQRmMlCWS0PO+pzSypKgI8I5Pg34IHrNjgk4fa inkSMLxYDTTtHWoeQoczL6MQ0UYrDZmmSlXO4U7FE69I0uMPYt5b0eLWG28YEF3T pe+fbm4qkpMZN11DvduMtswSro1BZq9zJrJLGFG9HdOXN7vrXc0bWVuykh6q31tv w1Tar2ybFkiV+huvn2zb =YWXH -----END PGP SIGNATURE-----