Package: swift / 1.4.8-2+deb7u1

Metadata

Package Version Patches format
swift 1.4.8-2+deb7u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
CVE 2012 4406_Do not use pickle for serialization in memcache but JSON.patch | (download)

doc/manpages/proxy-server.conf.5 | 15 15 + 0 - 0 !
etc/memcache.conf-sample | 10 10 + 0 - 0 !
etc/proxy-server.conf-sample | 12 12 + 0 - 0 !
swift/common/memcached.py | 48 39 + 9 - 0 !
swift/common/middleware/memcache.py | 30 23 + 7 - 0 !
test/unit/common/middleware/test_memcache.py | 5 4 + 1 - 0 !
test/unit/common/test_memcached.py | 22 22 + 0 - 0 !
7 files changed, 125 insertions(+), 17 deletions(-)

 do not use pickle for serialization in memcache, but json
 We don't want to use pickle as it can execute arbitrary code. JSON is
 safer. However, note that it supports serialization for only some
 specific subset of object types; this should be enough for what we need,
 though.
 .
 To avoid issues on upgrades (unability to read pickled values, and cache
 poisoning for old servers not understanding JSON), we add a
 memcache_serialization_support configuration option, with the following
 values:
 .
  0 = older, insecure pickle serialization
  1 = json serialization but pickles can still be read (still insecure)
  2 = json serialization only (secure and the default)
 .
 To avoid an instant full cache flush, existing installations should
 upgrade with 0, then set to 1 and reload, then after some time (24
 hours) set to 2 and reload. Support for 0 and 1 will be removed in
 future versions.
CVE 2013 2161.patch | (download)

swift/account/server.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] check user input in xml responses.

Fixes bug 1183884.

* swift/account/server.py: Escape account name in XML listings.

CVE 2013 4155_DoS_using_superfluous_object_tombstones.patch | (download)

swift/obj/server.py | 65 37 + 28 - 0 !
test/unit/obj/test_server.py | 194 191 + 3 - 0 !
2 files changed, 228 insertions(+), 31 deletions(-)

 fix handling of delete obj reqs with old timestamp
 The DELETE object REST API was creating tombstone files with old timestamps,
 potentially filling up the disk, as well as sending container updates.
 .
 Here we now make DELETEs with a request timestamp return a 409 (HTTP Conflict)
 if a data file exists with a newer timestamp, only creating tombstones if they
 have a newer timestamp.
 .
 The key fix is to actually read the timestamp metadata from an existing
 tombstone file (thanks to Pete Zaitcev for catching this), and then only
 create tombstone files with newer timestamps.
 .
 We also prevent PUT and POST operations using old timestamps as well.