Bug#799369: jessie-pu: package swift/2.2.0-1

To: Thomas Goirand <zigo@debian.org>, 799369@bugs.debian.org
Subject: Bug#799369: jessie-pu: package swift/2.2.0-1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Mon, 09 Nov 2015 17:15:39 +0000
Message-id: <[🔎] c9525e816a273f7532cab3c7f2bc784f@mail.adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 799369@bugs.debian.org
In-reply-to: <20150918113806.30295.16324.reportbug@buzig2.mirantis.com>
References: <20150918113806.30295.16324.reportbug@buzig2.mirantis.com>

On 2015-09-18 12:38, Thomas Goirand wrote:

- User creation was done in a non-OpenStack package standard way,namely
missing the --disabled-login option.

I'm confused by this description. Your suggested change *removes*--disabled-login, whereas the description implies that the problem wasthat it was missing.

- On removal, the package was calling userdel, which I considerdangerous
(potential reuse of the UUID).
- On purge, /var/cache/swift wasn't removed.

Ok.

- The swift-container-sync init script wasn't installed.

As far as I can see, that description is rather incomplete. The initscript wasn't "not installed", it wasn't in the package at all.

What's the function of swift-container-sync? Why is it important thatthe init script is added in stable?

More importantly, there's 2 CVEs which needs to be fixed:
- CVE-2015-1856 & OSSA 2015-006: Unauthorized delete of versioned Swift
  object.
- CVE-2015-5223: Information leak via Swift tempurls.

The above CVEs were considered not critical enough by the security team
to deserve a DSA, though they still deserve fixing.


Those look fine, thanks.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#799369: jessie-pu: package swift/2.2.0-1
  - From: "Novy, Ondrej" <Ondrej.Novy@firma.seznam.cz>

Prev by Date: Bug#760849: transition: glew
Next by Date: Bug#804246: transition: gsl
Previous by thread: Bug#760849: transition: glew
Next by thread: Bug#799369: jessie-pu: package swift/2.2.0-1
Index(es):
- Date
- Thread