[PKG-Openstack-devel] Bug#799369: jessie-pu: package swift/2.2.0-1
zigo at debian.org
Fri Sep 18 11:38:06 UTC 2015
User: release.debian.org at packages.debian.org
Dear Stable release team,
I'd like to upload an update of Swift through s-p-u, in order to fix a
number of issues listed below:
- User creation was done in a non-OpenStack package standard way, namely
missing the --disabled-login option.
- On removal, the package was calling userdel, which I consider dangerous
(potential reuse of the UUID).
- On purge, /var/cache/swift wasn't removed.
- The swift-container-sync init script wasn't installed.
More importantly, there's 2 CVEs which needs to be fixed:
- CVE-2015-1856 & OSSA 2015-006: Unauthorized delete of versioned Swift
- CVE-2015-5223: Information leak via Swift tempurls.
The above CVEs were considered not critical enough by the security team
to deserve a DSA, though they still deserve fixing.
I have attached a debdiff with all of the above problems corrected. The
pre-built package is also available here:
Please allow me to upload swift/2.2.0-1+deb8u1 to jessie-proposed-updates.
Thomas Goirand (zigo)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 27595 bytes
Desc: not available
More information about the Openstack-devel