Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1887-1] OpenStack Swift vulnerabilities (Jamie Strandboge)
----------------------------------------------------------------------
Message: 1
Date: Wed, 19 Jun 2013 21:42:11 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1887-1] OpenStack Swift vulnerabilities
Message-ID: <51C26C03.3060708@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1887-1
June 20, 2013
swift vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
Multiple security issues were fixed in OpenStack Swift.
Software Description:
- swift: OpenStack distributed virtual object store
Details:
Sebastian Krahmer discovered that Swift used the loads function in the
pickle Python module when it was configured to use memcached. A remote
attacker on the same network as memcached could exploit this to execute
arbitrary code. This update adds a new memcache_serialization_support
option to support secure json serialization. For details on this new
option, please see /usr/share/doc/swift-proxy/memcache.conf-sample. This
issue only affected Ubuntu 12.04 LTS. (CVE-2012-4406)
Alex Gaynor discovered that Swift did not safely generate XML. An
attacker could potentially craft an account name to generate arbitrary XML
responses to trigger vulnerabilties in software parsing Swift's XML.
(CVE-2013-2161)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.04:
python-swift 1.8.0-0ubuntu1.2
Ubuntu 12.10:
python-swift 1.7.4-0ubuntu2.2
Ubuntu 12.04 LTS:
python-swift 1.4.8-0ubuntu2.2
After a standard system update you need to restart Swift to make all the
necessary changes.
References:
http://www.ubuntu.com/usn/usn-1887-1
CVE-2012-4406, CVE-2013-2161
Package Information:
https://launchpad.net/ubuntu/+source/swift/1.8.0-0ubuntu1.2
https://launchpad.net/ubuntu/+source/swift/1.7.4-0ubuntu2.2
https://launchpad.net/ubuntu/+source/swift/1.4.8-0ubuntu2.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130619/a93a9250/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 105, Issue 13
*********************************************************
News
Subscribe to:
Post Comments (Atom)
Blog Archive
-
▼
2013
(149)
-
▼
June
(17)
- ubuntu-security-announce Digest, Vol 105, Issue 17
- ubuntu-security-announce Digest, Vol 105, Issue 16
- ubuntu-security-announce Digest, Vol 105, Issue 15
- ubuntu-security-announce Digest, Vol 105, Issue 14
- ubuntu-security-announce Digest, Vol 105, Issue 13
- ubuntu-security-announce Digest, Vol 105, Issue 12
- ubuntu-security-announce Digest, Vol 105, Issue 11
- ubuntu-security-announce Digest, Vol 105, Issue 10
- ubuntu-security-announce Digest, Vol 105, Issue 9
- ubuntu-security-announce Digest, Vol 105, Issue 8
- ubuntu-security-announce Digest, Vol 105, Issue 7
- ubuntu-security-announce Digest, Vol 105, Issue 6
- ubuntu-security-announce Digest, Vol 105, Issue 5
- ubuntu-security-announce Digest, Vol 105, Issue 3
- ubuntu-security-announce Digest, Vol 105, Issue 2
- ubuntu-security-announce Digest, Vol 105, Issue 4
- ubuntu-security-announce Digest, Vol 105, Issue 1
-
▼
June
(17)
No comments:
Post a Comment