[USN-2256-1] Swift vulnerability
Jamie Strandboge
jamie at canonical.com
Wed Jun 25 21:56:19 UTC 2014
==========================================================================
Ubuntu Security Notice USN-2256-1
June 25, 2014
swift vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Swift did not properly perform input validation of certain HTTP headers.
Software Description:
- swift: OpenStack distributed virtual object store
Details:
John Dickinson discovered that Swift did not properly quote the
WWW-Authenticate header value. If a user were tricked into navigating to a
malicious Swift URL, an attacker could conduct cross-site scripting
attacks. With cross-site scripting vulnerabilities, if a user were tricked
into viewing server output during a crafted server request, a remote
attacker could exploit this to modify the contents, or steal confidential
data, within the same domain.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
python-swift 1.13.1-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2256-1
CVE-2014-3497
Package Information:
https://launchpad.net/ubuntu/+source/swift/1.13.1-0ubuntu1.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140625/63a07421/attachment.sig>
More information about the ubuntu-security-announce
mailing list