Package: swift | Debian Sources

Package: swift / 1.4.8-2+deb7u1

Metadata

Package	Version	Patches format
swift	1.4.8-2+deb7u1	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
CVE 2012 4406_Do not use pickle for serialization in memcache but JSON.patch \| (download)	doc/manpages/proxy-server.conf.5 \| 15 15 + 0 - 0 ! etc/memcache.conf-sample \| 10 10 + 0 - 0 ! etc/proxy-server.conf-sample \| 12 12 + 0 - 0 ! swift/common/memcached.py \| 48 39 + 9 - 0 ! swift/common/middleware/memcache.py \| 30 23 + 7 - 0 ! test/unit/common/middleware/test_memcache.py \| 5 4 + 1 - 0 ! test/unit/common/test_memcached.py \| 22 22 + 0 - 0 ! 7 files changed, 125 insertions(+), 17 deletions(-)	do not use pickle for serialization in memcache, but json We don't want to use pickle as it can execute arbitrary code. JSON is safer. However, note that it supports serialization for only some specific subset of object types; this should be enough for what we need, though. . To avoid issues on upgrades (unability to read pickled values, and cache poisoning for old servers not understanding JSON), we add a memcache_serialization_support configuration option, with the following values: . 0 = older, insecure pickle serialization 1 = json serialization but pickles can still be read (still insecure) 2 = json serialization only (secure and the default) . To avoid an instant full cache flush, existing installations should upgrade with 0, then set to 1 and reload, then after some time (24 hours) set to 2 and reload. Support for 0 and 1 will be removed in future versions.
CVE 2013 2161.patch \| (download)	swift/account/server.py \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	[patch] check user input in xml responses. Fixes bug 1183884. * swift/account/server.py: Escape account name in XML listings.
CVE 2013 4155_DoS_using_superfluous_object_tombstones.patch \| (download)	swift/obj/server.py \| 65 37 + 28 - 0 ! test/unit/obj/test_server.py \| 194 191 + 3 - 0 ! 2 files changed, 228 insertions(+), 31 deletions(-)	fix handling of delete obj reqs with old timestamp The DELETE object REST API was creating tombstone files with old timestamps, potentially filling up the disk, as well as sending container updates. . Here we now make DELETEs with a request timestamp return a 409 (HTTP Conflict) if a data file exists with a newer timestamp, only creating tombstones if they have a newer timestamp. . The key fix is to actually read the timestamp metadata from an existing tombstone file (thanks to Pete Zaitcev for catching this), and then only create tombstone files with newer timestamps. . We also prevent PUT and POST operations using old timestamps as well.

Patch

File delta

Description

CVE 2012 4406_Do not use pickle for serialization in memcache but JSON.patch | (download)

doc/manpages/proxy-server.conf.5 | 15 15 + 0 - 0 !
etc/memcache.conf-sample | 10 10 + 0 - 0 !
etc/proxy-server.conf-sample | 12 12 + 0 - 0 !
swift/common/memcached.py | 48 39 + 9 - 0 !
swift/common/middleware/memcache.py | 30 23 + 7 - 0 !
test/unit/common/middleware/test_memcache.py | 5 4 + 1 - 0 !
test/unit/common/test_memcached.py | 22 22 + 0 - 0 !
7 files changed, 125 insertions(+), 17 deletions(-)

 do not use pickle for serialization in memcache, but json
 We don't want to use pickle as it can execute arbitrary code. JSON is
 safer. However, note that it supports serialization for only some
 specific subset of object types; this should be enough for what we need,
 though.
 .
 To avoid issues on upgrades (unability to read pickled values, and cache
 poisoning for old servers not understanding JSON), we add a
 memcache_serialization_support configuration option, with the following
 values:
 .
  0 = older, insecure pickle serialization
  1 = json serialization but pickles can still be read (still insecure)
  2 = json serialization only (secure and the default)
 .
 To avoid an instant full cache flush, existing installations should
 upgrade with 0, then set to 1 and reload, then after some time (24
 hours) set to 2 and reload. Support for 0 and 1 will be removed in
 future versions.

CVE 2013 2161.patch | (download)

swift/account/server.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] check user input in xml responses.

Fixes bug 1183884.

* swift/account/server.py: Escape account name in XML listings.

CVE 2013 4155_DoS_using_superfluous_object_tombstones.patch | (download)

swift/obj/server.py | 65 37 + 28 - 0 !
test/unit/obj/test_server.py | 194 191 + 3 - 0 !
2 files changed, 228 insertions(+), 31 deletions(-)

 fix handling of delete obj reqs with old timestamp
 The DELETE object REST API was creating tombstone files with old timestamps,
 potentially filling up the disk, as well as sending container updates.
 .
 Here we now make DELETEs with a request timestamp return a 409 (HTTP Conflict)
 if a data file exists with a newer timestamp, only creating tombstones if they
 have a newer timestamp.
 .
 The key fix is to actually read the timestamp metadata from an existing
 tombstone file (thanks to Pete Zaitcev for catching this), and then only
 create tombstone files with newer timestamps.
 .
 We also prevent PUT and POST operations using old timestamps as well.