[openstack-announce] [OSSA 2014-034] Swift metadata constraints are not correctly enforced (CVE-2014-7960)

Thierry Carrez thierry at openstack.org
Thu Oct 9 12:44:07 UTC 2014


OpenStack Security Advisory: 2014-034
CVE: CVE-2014-7960
Date: October 09, 2014
Title: Swift metadata constraints are not correctly enforced
Reporter: Rajaneesh Singh
Products: Swift
Versions: up to 2.1.0

Description:
Rajaneesh Singh reported a vulnerability in the way Swift enforces
metadata constraints. By adding metadata in several separate calls, an
authenticated attacker can bypass the max_meta_count constraint,
potentially resulting in the storage of more metadata than allowed in
configuration.

Juno (development branch) fix:
https://review.openstack.org/125360

Icehouse fix:
https://review.openstack.org/126645

Notes:
This fix will be included in the upcoming 2.2.0 Juno release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7960
https://launchpad.net/bugs/1365350

--
Thierry Carrez
OpenStack Vulnerability Management Team

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20141009/7276044d/attachment.pgp>


More information about the OpenStack-announce mailing list