Bug#799369: jessie-pu: package swift/2.2.0-1
On 09/18/2015 01:38 PM, Thomas Goirand wrote:
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian.org@packages.debian.org
> Usertags: pu
>
> Dear Stable release team,
>
> I'd like to upload an update of Swift through s-p-u, in order to fix a
> number of issues listed below:
> - User creation was done in a non-OpenStack package standard way, namely
> missing the --disabled-login option.
> - On removal, the package was calling userdel, which I consider dangerous
> (potential reuse of the UUID).
> - On purge, /var/cache/swift wasn't removed.
> - The swift-container-sync init script wasn't installed.
>
> More importantly, there's 2 CVEs which needs to be fixed:
> - CVE-2015-1856 & OSSA 2015-006: Unauthorized delete of versioned Swift
> object.
> - CVE-2015-5223: Information leak via Swift tempurls.
>
> The above CVEs were considered not critical enough by the security team
> to deserve a DSA, though they still deserve fixing.
>
> I have attached a debdiff with all of the above problems corrected. The
> pre-built package is also available here:
> http://sid.gplhost.com/jessie-proposed-updates/swift/
>
> Please allow me to upload swift/2.2.0-1+deb8u1 to jessie-proposed-updates.
>
> Cheers,
>
> Thomas Goirand (zigo)
Gentle ping?
Reply to: