Bugzilla – Bug 824286
VUL-0: openstack-swift: CVE-2013-2161: Unchecked user input in Swift XML responses
Last modified: 2013-07-05 09:04:23 UTC
bugbot adjusting priority
Public now: https://lists.launchpad.net/openstack/msg24373.html Date: Thu, 13 Jun 2013 16:21:07 +0000 From: Jeremy Stanley Subject: [OSSA 2013-016] Unchecked user input in Swift XML responses (CVE-2013-2161) OpenStack Security Advisory: 2013-016 CVE: CVE-2013-2161 Date: June 13, 2013 Title: Unchecked user input in Swift XML responses Reporter: Alex Gaynor (Rackspace) Products: Swift Affects: All versions Description: Alex Gaynor from Rackspace reported a vulnerability in XML handling within Swift account servers. Account strings were unescaped in XML listings, and an attacker could potentially generate unparsable or arbitrary XML responses which may be used to leverage other vulnerabilities in the calling software. Havana (development branch) fix: https://review.openstack.org/32905 Grizzly fix: https://review.openstack.org/32909 Folsom fix: https://review.openstack.org/32911 Notes: This fix will be included in the next release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2161 https://bugs.launchpad.net/swift/+bug/1183884
The SWAMPID for this issue is 52995. This issue was rated as moderate. Please submit fixed packages until 2013-07-01. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Fix submitted for openSUSE 12.3 too: sr#179256.
Update released for: openstack-swift, openstack-swift-account, openstack-swift-container, openstack-swift-doc, openstack-swift-object, openstack-swift-proxy, openstack-swift-test, python-swift Products: SUSE-CLOUD 1.0 (x86_64)
released
openSUSE-SU-2013:1146-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 824286 CVE References: CVE-2013-2161 Sources used: openSUSE 12.3 (src): openstack-swift-1.7.4.1+git.1359529903.0ce3e1d-2.8.1, openstack-swift-doc-1.7.4.1+git.1359529903.0ce3e1d-2.8.1