Home / mailings [USN-1887-1] OpenStack Swift vulnerabilities
Posted on 20 June 2013
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-1887-1
June 20, 2013
swift vulnerabilities
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
Multiple security issues were fixed in OpenStack Swift.
Software Description:
- swift: OpenStack distributed virtual object store
Details:
Sebastian Krahmer discovered that Swift used the loads function in the
pickle Python module when it was configured to use memcached. A remote
attacker on the same network as memcached could exploit this to execute
arbitrary code. This update adds a new memcache_serialization_support
option to support secure json serialization. For details on this new
option, please see /usr/share/doc/swift-proxy/memcache.conf-sample. This
issue only affected Ubuntu 12.04 LTS. (CVE-2012-4406)
Alex Gaynor discovered that Swift did not safely generate XML. An
attacker could potentially craft an account name to generate arbitrary XM=
L
responses to trigger vulnerabilties in software parsing Swift's XML.
(CVE-2013-2161)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.04:
python-swift 1.8.0-0ubuntu1.2
Ubuntu 12.10:
python-swift 1.7.4-0ubuntu2.2
Ubuntu 12.04 LTS:
python-swift 1.4.8-0ubuntu2.2
After a standard system update you need to restart Swift to make all the
necessary changes.
References:
http://www.ubuntu.com/usn/usn-1887-1
CVE-2012-4406, CVE-2013-2161
Package Information:
https://launchpad.net/ubuntu/+source/swift/1.8.0-0ubuntu1.2
https://launchpad.net/ubuntu/+source/swift/1.7.4-0ubuntu2.2
https://launchpad.net/ubuntu/+source/swift/1.4.8-0ubuntu2.2
------------
