Bug 958759 - (CVE-2015-8466) VUL-1: CVE-2015-8466: python-swift3: replay attack - date/date header unvalidated
VUL-1: CVE-2015-8466: python-swift3: replay attack - date/date header unvalid...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2015-12-11 12:05 UTC by Marcus Meissner
Modified: 2020-06-29 06:23 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-12-11 12:05:43 UTC
from redhat bugzilla:

A required header: date or alternate header: x-amz-date is never validated in the case where neither is specified
This leads to a potential replay attack as the value should be within a 5 minute window from the server time.


(it is not clear if we ship this package.)
Comment 1 Swamp Workflow Management 2015-12-11 23:00:34 UTC
bugbot adjusting priority
Comment 2 Dirk Mueller 2015-12-13 18:09:59 UTC
This has nothing to do with openstack-swift but is part of python3-swift.

Comment 3 Marcus Meissner 2015-12-13 21:32:59 UTC
it seems we are not shipping it?

and python-swift is unrelated?

then please close
Comment 4 Dirk Mueller 2015-12-14 08:06:53 UTC
no, we do ship python-swift3, but its an optional component and not enabled/configured/installed by default iirc
Comment 5 Marcus Meissner 2015-12-14 09:29:07 UTC
It does not appear in either IBS or OBS "osc se --binary python3-swift" searches.

(python-swift does)

So it might not be built anywhere.
Comment 6 Dirk Mueller 2015-12-14 14:06:20 UTC
D'oh, sorry, I see where the confusion is coming from. See corrected summary:)
Comment 7 Marcus Meissner 2015-12-14 15:35:49 UTC
ah yes. it seems to be in cloud 5.

as it is not default we can make it a planned update, if we ever do an update
we can roll it in.
Comment 9 Keith Berger 2020-05-18 16:00:17 UTC
resolved as IBS package is using swift3-1.12.1.dev8.tar

please review and close