Your message dated Sun, 22 Nov 2015 22:17:06 +0000 with message-id <e1a0cwu-0002mc...@franck.debian.org> and subject line Bug#783163: fixed in swift 2.2.0-1+deb8u1 has caused the Debian Bug report #783163, regarding CVE-2015-1856: Unauthorized delete of versioned Swift object to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 783163: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783163 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-swift Version: 2.2.0-1 Severity: grave Tags: security patch Note from maintainer: Upload is following. Affects ~~~~~~~ - Swift: versions through 2.2.2 Description ~~~~~~~~~~~ Clay Gerrard from SwiftStack reported a vulnerability in Swift object versioning. An authenticated user can delete the most recent version of any versioned object whose name is known if the user have listing access to the x-versions-location container. Only Swift setups with allow_version setting are affected. Patches ~~~~~~~ - https://review.openstack.org/173366 (Icehouse) - https://review.openstack.org/173363 (Juno) - https://review.openstack.org/173361 (Kilo) Credits ~~~~~~~ - Clay Gerrard from SwiftStack (CVE-2015-1856) References ~~~~~~~~~~ - https://launchpad.net/bugs/1430645 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1856
--- End Message ---
--- Begin Message ---Source: swift Source-Version: 2.2.0-1+deb8u1 We believe that the bug you reported is fixed in the latest version of swift, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 783...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated swift package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 15 Sep 2015 21:28:14 +0200 Source: swift Binary: python-swift swift swift-proxy swift-object swift-container swift-account swift-object-expirer swift-doc Architecture: source all Version: 2.2.0-1+deb8u1 Distribution: jessie-proposed-updates Urgency: medium Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Description: python-swift - distributed virtual object store - Python libraries swift - distributed virtual object store - common files swift-account - distributed virtual object store - account server swift-container - distributed virtual object store - container server swift-doc - distributed virtual object store - documentation swift-object - distributed virtual object store - object server swift-object-expirer - distributed virtual object store - object-expirer swift-proxy - distributed virtual object store - proxy server Closes: 783163 797032 Changes: swift (2.2.0-1+deb8u1) jessie-proposed-updates; urgency=medium . [ Thomas Goirand ] * Fixed swift user creation (standardized on pkgos way). * CVE-2015-1856 & OSSA 2015-006: Unauthorized delete of versioned Swift object. Applied upstream patch: Prevent unauthorized delete in versioned container (Closes: #783163). . [ Ondřej Nový ] * Fixed service name of object-expirer. * Added container-sync init script. * CVE-2015-5223: Information leak via Swift tempurls. Applied upstream patch: Disallow unsafe tempurl operations to point to unauthorized data (Closes: #797032). Checksums-Sha1: 1991f0af7ed8a278080aae45b392b166d61ceb2b 2864 swift_2.2.0-1+deb8u1.dsc 76615c6f95bf1d38c44cbcd1038011f23bcb63f1 17004 swift_2.2.0-1+deb8u1.debian.tar.xz 7c03dc2a8cbd29e2c172b1481dbb4b7f505f2252 298546 python-swift_2.2.0-1+deb8u1_all.deb cad83c50350737c52bea525e208e648a6464662f 49972 swift_2.2.0-1+deb8u1_all.deb b9c6ca36acb883a62be61410a7d8dd72db3d609b 50758 swift-proxy_2.2.0-1+deb8u1_all.deb c06a2eaa18eb417cede968abf35b3c885b01dbf9 49888 swift-object_2.2.0-1+deb8u1_all.deb 327240fdececd7a5622b34229afb90da4d7e793e 42158 swift-container_2.2.0-1+deb8u1_all.deb cbc9009b6290a364bbd4f45afe364e79a6480953 42884 swift-account_2.2.0-1+deb8u1_all.deb 485dd253926abfd26d6c915b3afb37203e0cfc4f 23296 swift-object-expirer_2.2.0-1+deb8u1_all.deb 69506ee4437edfc1534167597a2b0a8d57edad8e 311008 swift-doc_2.2.0-1+deb8u1_all.deb Checksums-Sha256: 204ab6ceb2dfe912635085fa7c8aad54814708bc95a80453d550903609afaed5 2864 swift_2.2.0-1+deb8u1.dsc 2171f99a30550580a6f7776302f3e19c81fef3a65cba726851e5e10896f47791 17004 swift_2.2.0-1+deb8u1.debian.tar.xz 3c70b1c0fc4e3d254e85f46a2ef744863f86ae43a433b20647cd214a487788c7 298546 python-swift_2.2.0-1+deb8u1_all.deb 8f1c577d0d6566ace52bfba1c5ad00ab9787af6e60ed94375e70ffae21f7586d 49972 swift_2.2.0-1+deb8u1_all.deb 3e362ed47fb805e617e0e973a5e7734f44afb6e3ca5ff3b09a7f3fb228679c7d 50758 swift-proxy_2.2.0-1+deb8u1_all.deb d6da0a8e3ecacd31ce91f9519dc151a84e7e2cc0697a3e5bc5e9930513d3017b 49888 swift-object_2.2.0-1+deb8u1_all.deb 24e5464d141957e882256234461f5ec03109e937f47e460b84a53be58d4bf5df 42158 swift-container_2.2.0-1+deb8u1_all.deb cd1145f594701dc6cf4b0b4fda0800f9a7166befb853a15cbf8326400c59a0c5 42884 swift-account_2.2.0-1+deb8u1_all.deb f64f9281d49a35765af7b4c963e046f6c54b70a4268fb9ad8ad5f4d1659f3c3d 23296 swift-object-expirer_2.2.0-1+deb8u1_all.deb d914e0f89308ba0654c7b75f67aaa9c6fb192e9a2826e4ebee3155ece70e11fc 311008 swift-doc_2.2.0-1+deb8u1_all.deb Files: b9777bed14e544b81e726f03d9cfeb99 2864 net optional swift_2.2.0-1+deb8u1.dsc dd78db2e333a545b79e08a1e45bf63d1 17004 net optional swift_2.2.0-1+deb8u1.debian.tar.xz 67ad92bf323acfda1c73197125cb5b6c 298546 python optional python-swift_2.2.0-1+deb8u1_all.deb 0af92837638b2c913d8adb6fca22932a 49972 net optional swift_2.2.0-1+deb8u1_all.deb 2cce25bb2f0271ed6d6bba9c142cae6b 50758 net optional swift-proxy_2.2.0-1+deb8u1_all.deb d91583739250e62c82b3b761b949ef9e 49888 net optional swift-object_2.2.0-1+deb8u1_all.deb 25704f4767141f3c2e12df0d85134ae6 42158 net optional swift-container_2.2.0-1+deb8u1_all.deb d42ff7cebf72638b7b1e269db4d19151 42884 net optional swift-account_2.2.0-1+deb8u1_all.deb 336d11fc544c73c93058958ee1b020c7 23296 net optional swift-object-expirer_2.2.0-1+deb8u1_all.deb 9eec490614bad78fa5289e241b5928d5 311008 doc optional swift-doc_2.2.0-1+deb8u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJV+/SdAAoJENQWrRWsa0P+eMAP/3C4nYj6gcmsz/JFkoR1g5CE pXvj9YQ+/V1bqkZ98mCmMAya+l/FcHZi3idmc37LIkE5lsKvwJgJMrihneDTxUjS Sv0hIbTgpNXvz8ybi8Wfj85SMAh2VzBDnOwcMPmCCHiEwR40O8q4o97bnKBQ5CAj +U9WiBlh6uZnneXab8/RvnqRx1ZhbtvyRq6XUIQTXVGOG4e8Oxn2xPULGCXaa2eB Zi5Pn6FbUWhP1mTQs8VXZWxST5DiPKBi6gu89fLkOLgWHcYHLjMeMh85kqGy4gxH Zc7Th/0scuPN2QwZnCIU5KoBtFgbRt5V92HOeqiaJNG8hVKWeXdaUsXHcimS+mYE rUwUN46UvFecOswWqlacMUnjUWO9w/Z3RtRCYD48tFq1cMRr1Wj8myk55+e1+/I+ GoCjRl5Zv1NhIwA6tD6x9Y4iWvLrr7oKF8ylplZuzGqoafHUbDUn7TgKqMOmbmcy 6enhbWtH+/CTur+WkHxQNWnTQWY7Rc+vyzu82/ut8oaBL4btAXyc5Xh90l184KTv BjYORy8B39TxnKBtfd2zVV1zgx/C0GM9HQY5p6AVy83rIMxVXMNv2/TLFlRTjCWg f9QWEfZ8Kvv+ImLdu1hCTgnpHV06Th4jSq9wxxFM5TwviYCx0z3lI2af7DUJxWvv bObDGEzJ/9kyyY9TeZ7q =r8ri -----END PGP SIGNATURE-----
--- End Message ---
