=========================================================================Ubuntu Security Notice USN-2256-1
June 25, 2014
swift vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Swift did not properly perform input validation of certain HTTP headers.
Software Description:
- swift: OpenStack distributed virtual object store
Details:
John Dickinson discovered that Swift did not properly quote the
WWW-Authenticate header value. If a user were tricked into navigating to a
malicious Swift URL, an attacker could conduct cross-site scripting
attacks. With cross-site scripting vulnerabilities, if a user were tricked
into viewing server output during a crafted server request, a remote
attacker could exploit this to modify the contents, or steal confidential
data, within the same domain.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
python-swift 1.13.1-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-2256-1
CVE-2014-3497
Package Information:
https://launchpad.net/ubuntu/+source/swift/1.13.1-0ubuntu1.1