[USN-2256-1] Swift vulnerability

Jamie Strandboge jamie at canonical.com
Wed Jun 25 21:56:19 UTC 2014


==========================================================================
Ubuntu Security Notice USN-2256-1
June 25, 2014

swift vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

Swift did not properly perform input validation of certain HTTP headers.

Software Description:
- swift: OpenStack distributed virtual object store

Details:

John Dickinson discovered that Swift did not properly quote the
WWW-Authenticate header value. If a user were tricked into navigating to a
malicious Swift URL, an attacker could conduct cross-site scripting
attacks. With cross-site scripting vulnerabilities, if a user were tricked
into viewing server output during a crafted server request, a remote
attacker could exploit this to modify the contents, or steal confidential
data, within the same domain.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
  python-swift                    1.13.1-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-2256-1
  CVE-2014-3497

Package Information:
  https://launchpad.net/ubuntu/+source/swift/1.13.1-0ubuntu1.1




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140625/63a07421/attachment.sig>


More information about the ubuntu-security-announce mailing list