Bugzilla – Bug 958759
VUL-1: CVE-2015-8466: python-swift3: replay attack - date/date header unvalidated
Last modified: 2020-06-29 06:23:30 UTC
from redhat bugzilla:
A required header: date or alternate header: x-amz-date is never validated in the case where neither is specified
This leads to a potential replay attack as the value should be within a 5 minute window from the server time.
(it is not clear if we ship this package.)
bugbot adjusting priority
This has nothing to do with openstack-swift but is part of python3-swift.
it seems we are not shipping it?
and python-swift is unrelated?
then please close
no, we do ship python-swift3, but its an optional component and not enabled/configured/installed by default iirc
It does not appear in either IBS or OBS "osc se --binary python3-swift" searches.
So it might not be built anywhere.
D'oh, sorry, I see where the confusion is coming from. See corrected summary:)
ah yes. it seems to be in cloud 5.
as it is not default we can make it a planned update, if we ever do an update
we can roll it in.
resolved as IBS package is using swift3-1.12.1.dev8.tar
please review and close