==========================================================================
Ubuntu Security Notice USN-2256-1
June 25, 2014
swift vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 14.04 LTS
Summary:
Swift did not properly perform input validation of certain HTTP headers.
Software Description:
– swift: OpenStack distributed virtual object store
Details:
John Dickinson discovered that Swift did not properly quote the
WWW-Authenticate header value. If a user were tricked into navigating to a
malicious Swift URL, an attacker could conduct cross-site scripting
attacks. With cross-site scripting vulnerabilities, if a user were tricked
into viewing server output during a crafted server request, a remote
attacker could exploit this to modify the contents, or steal confidential
data, within the same domain.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
python-swift 1.13.1-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2256-1
CVE-2014-3497
Package Information:
https://launchpad.net/ubuntu/+source/swift/1.13.1-0ubuntu1.1
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird – http://www.enigmail.net/
iQIcBAEBCgAGBQJTq0WDAAoJEFHb3FjMVZVznS0P/RM4NjQoth+Ma9HL4W0SYVJi
Qb3941noY17w2Z6CAGd1pRwhwMqu08SVsh9sDesQjWm1pxE3BL8wnl/j1jvH0bFr
EdWxxbeMV6Ci8x5qASsIBGHWnB0QIBm+x4cEbiECpF6Sie90Fguafkm78vILrfXu
w0cI/iLU4qqDWWYoB1iX0QlUqqtIkvPaQCNlI4sKhc7X5IiemaPmINLwrxIMZUU0
Y9yQ+yMQ0FeCLQUx6dL3d0L9ZNTpZjHUzA/1rbYdfNSCQmLLkMqgroGPhm3Q4hqb
r4GQ82G7A/UT5W7OHKhdqiyLzEwfhEpHak1ONk8egDabXFJSNq9sh+lOI5g1jc89
hOjR+DAjlv/2RP9jUW75EO9WAVov3LyZnGdyJjykqbNLeFnACKWBrGJ2ZyJZdZn0
Qvd/zw15GDjDPqKzFOjRFemXrzyarmsTiyDnKwI5scnOMX8ExHm+HbMPD3mBAbmO
/kH8Tt7+VeXaz6q1EO53SCw7SV2e5ukUbe0oviHts76T9b1GOMGugZ6DKYrUDIBx
JvYmUZs2ktYYEFKKup6nXHRhoJuiToVS2lyMs3O0ae7KvxY0/xkR8FAdsfdzWtq8
13bRc9tUA0ARg+1AqVFzvpNoraLGMR5X3QsUJGU+ooKjKVcvR20USD/oBZ0eWu+W
39nyam7wwT7JGhx82fzL
=x9PD
—–END PGP SIGNATURE—–
—