Package: swift / 1.4.8-2+deb7u1
Patch seriesview the series file
|CVE 2012 4406_Do not use pickle for serialization in memcache but JSON.patch | (download)||
15 15 + 0 - 0 !
do not use pickle for serialization in memcache, but json We don't want to use pickle as it can execute arbitrary code. JSON is safer. However, note that it supports serialization for only some specific subset of object types; this should be enough for what we need, though. . To avoid issues on upgrades (unability to read pickled values, and cache poisoning for old servers not understanding JSON), we add a memcache_serialization_support configuration option, with the following values: . 0 = older, insecure pickle serialization 1 = json serialization but pickles can still be read (still insecure) 2 = json serialization only (secure and the default) . To avoid an instant full cache flush, existing installations should upgrade with 0, then set to 1 and reload, then after some time (24 hours) set to 2 and reload. Support for 0 and 1 will be removed in future versions.
|CVE 2013 2161.patch | (download)||
2 1 + 1 - 0 !
[patch] check user input in xml responses. Fixes bug 1183884. * swift/account/server.py: Escape account name in XML listings.
|CVE 2013 4155_DoS_using_superfluous_object_tombstones.patch | (download)||
fix handling of delete obj reqs with old timestamp The DELETE object REST API was creating tombstone files with old timestamps, potentially filling up the disk, as well as sending container updates. . Here we now make DELETEs with a request timestamp return a 409 (HTTP Conflict) if a data file exists with a newer timestamp, only creating tombstones if they have a newer timestamp. . The key fix is to actually read the timestamp metadata from an existing tombstone file (thanks to Pete Zaitcev for catching this), and then only create tombstone files with newer timestamps. . We also prevent PUT and POST operations using old timestamps as well.