[PKG-Openstack-devel] Bug#799369: jessie-pu: package swift/2.2.0-1

Thomas Goirand zigo at debian.org
Fri Sep 18 11:38:06 UTC 2015

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org at packages.debian.org
Usertags: pu

Dear Stable release team,

I'd like to upload an update of Swift through s-p-u, in order to fix a
number of issues listed below:
- User creation was done in a non-OpenStack package standard way, namely
missing the --disabled-login option.
- On removal, the package was calling userdel, which I consider dangerous
(potential reuse of the UUID).
- On purge, /var/cache/swift wasn't removed.
- The swift-container-sync init script wasn't installed.

More importantly, there's 2 CVEs which needs to be fixed:
- CVE-2015-1856 & OSSA 2015-006: Unauthorized delete of versioned Swift
- CVE-2015-5223: Information leak via Swift tempurls.

The above CVEs were considered not critical enough by the security team
to deserve a DSA, though they still deserve fixing.

I have attached a debdiff with all of the above problems corrected. The
pre-built package is also available here:

Please allow me to upload swift/2.2.0-1+deb8u1 to jessie-proposed-updates.


Thomas Goirand (zigo)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: swift_2.2.0-1+deb8u1.debdiff
Type: text/x-diff
Size: 27595 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/openstack-devel/attachments/20150918/eb6fbc8d/attachment-0001.diff>

More information about the Openstack-devel mailing list