First Last Prev Next    This bug is not in your last search results.
Bug 958759 - (CVE-2015-8466) VUL-1: CVE-2015-8466: python-swift3: replay attack - date/date header unvalidated
(CVE-2015-8466)
VUL-1: CVE-2015-8466: python-swift3: replay attack - date/date header unvalid...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/159609/
CVSSv2:SUSE:CVE-2015-8466:4.3:(AV:A/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-11 12:05 UTC by Marcus Meissner
Modified: 2020-06-29 06:23 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-12-11 12:05:43 UTC 
from redhat bugzilla:

A required header: date or alternate header: x-amz-date is never validated in the case where neither is specified
This leads to a potential replay attack as the value should be within a 5 minute window from the server time.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1290664


(it is not clear if we ship this package.)
Comment 1 Swamp Workflow Management 2015-12-11 23:00:34 UTC 
bugbot adjusting priority
Comment 2 Dirk Mueller 2015-12-13 18:09:59 UTC 
This has nothing to do with openstack-swift but is part of python3-swift.

https://review.openstack.org/#/c/255067/
https://launchpad.net/bugs/1497424
Comment 3 Marcus Meissner 2015-12-13 21:32:59 UTC 
it seems we are not shipping it?

and python-swift is unrelated?

then please close
Comment 4 Dirk Mueller 2015-12-14 08:06:53 UTC 
no, we do ship python-swift3, but its an optional component and not enabled/configured/installed by default iirc
Comment 5 Marcus Meissner 2015-12-14 09:29:07 UTC 
It does not appear in either IBS or OBS "osc se --binary python3-swift" searches.

(python-swift does)

So it might not be built anywhere.
Comment 6 Dirk Mueller 2015-12-14 14:06:20 UTC 
D'oh, sorry, I see where the confusion is coming from. See corrected summary:)
Comment 7 Marcus Meissner 2015-12-14 15:35:49 UTC 
ah yes. it seems to be in cloud 5.

as it is not default we can make it a planned update, if we ever do an update
we can roll it in.
Comment 9 Keith Berger 2020-05-18 16:00:17 UTC 
resolved as IBS package is using swift3-1.12.1.dev8.tar

please review and close
First Last Prev Next    This bug is not in your last search results.