Bug#686814: unblock: swift/1.4.8-2

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

Control: tags -1 + moreinfo

On Thu, 2012-09-06 at 16:56 +0800, Thomas Goirand wrote:
> Please unblock package swift. This new version fixes CVE-2012-4406 / #686812.
> Debdiff attached: it only adds upstream patch as see here:
> https://github.com/openstack/swift/commit/e1ff51c04554d51616d2845f92ab726cb0e5831a

+ To avoid issues on upgrades (unability to read pickled values, and cache

s/unability/inability/, fwiw.

+ poisoning for old servers not understanding JSON), we add a
+ memcache_serialization_support configuration option, with the following
+ values:
+ .
+  0 = older, insecure pickle serialization
+  1 = json serialization but pickles can still be read (still insecure)
+  2 = json serialization only (secure and the default)
+ .
+ To avoid an instant full cache flush, existing installations should
+ upgrade with 0, then set to 1 and reload, then after some time (24
+ hours) set to 2 and reload. Support for 0 and 1 will be removed in
+ future versions.

Reading the patch, I'm assuming that this means that every user
upgrading the package will have their cache immediately invalidated, as
there's no way they can know the above information before the upgrade
has been completed.

Not being that familiar with the package, I'm not sure whether this is a
practical issue in this case...

Regards,

Adam