Updated openstack-swift packages that fix two security issues are nowavailable for Red Hat Enterprise Linux OpenStack Platform 5.0 for RHEL 6.Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

OpenStack Object Storage (swift) provides object storage in virtualcontainers, which allows users to store and retrieve files (arbitrarydata). The service’s distributed architecture supports horizontal scaling;redundancy as failure-proofing is provided through software-based datareplication. Because Object Storage supports asynchronous eventualconsistency replication, it is well suited to multiple data-centerdeployment.A memory-leak issue was found in OpenStack Object Storage (swift), in theproxy-to-server connection. An OpenStack-authenticated attacker couldremotely trigger this flaw to cause denial of service through excess memoryconsumption. (CVE-2016-0738)A memory-leak issue was found in OpenStack Object Storage (swift), in theclient-to-proxy connection. An OpenStack-authenticated attacker couldremotely trigger this flaw to cause denial of service through excess memoryconsumption. (CVE-2016-0737)Red Hat would like to thank the OpenStack project for reporting these issues. Upstream acknowledges Romain Le Disez from OVH and Örjan Perssonfrom Kiliaro as the original reporters.All users of openstack-swift are advised to upgrade to these updatedpackages, which correct these issues. After installing this update, theOpenStack Object Storage services will be restarted automatically.
Red Hat OpenStack 5.0 for RHEL 6

SRPMS:
openstack-swift-1.13.1-8.el6ost.src.rpm
    MD5: 851c948565aa5af3eb98dfa8327860d5SHA-256: 18d3130ee4e4fda4bf4067c57d83c0f513e37de83bd298428b14ec26984ac9b9
 
x86_64:
openstack-swift-1.13.1-8.el6ost.noarch.rpm
    MD5: 15452bb0c36e05de6b9dda2356018aeeSHA-256: 1bec3aff2d0122a9c9088ef68164e93113d891b44a4110799708bf2d91d44392
openstack-swift-account-1.13.1-8.el6ost.noarch.rpm
    MD5: f3a2c5ca8634f9f01b382d276311a0b7SHA-256: f1e5a8f9540e836d0b6f60b7ff0a0dac5278e77466bb5742b1dd5991bde45ea3
openstack-swift-container-1.13.1-8.el6ost.noarch.rpm
    MD5: 7be420aff6102db3e0670f885301739eSHA-256: a47257654d58de7501a7b61bbfb70d7c28ba0470abc3ac1304d43c879ba1b87c
openstack-swift-doc-1.13.1-8.el6ost.noarch.rpm
    MD5: f44b7f3e7090cb172a87e69b208f1e1bSHA-256: 2632773d6341f6a21e31687084f2ca85f29e6f0ae447ffa386df856735216682
openstack-swift-object-1.13.1-8.el6ost.noarch.rpm
    MD5: f8523e17e85ea8c0eb62634945a474b2SHA-256: ecd7963389ef04e4a037bd362f25c5f63c4581d8e7f8044ea9a3c60412a517e4
openstack-swift-proxy-1.13.1-8.el6ost.noarch.rpm
    MD5: f3fc48852324a5346cd95aef9a555abbSHA-256: 69631a5077373b493fd9e0e00b43dd609aa5dd951eb0079850e8b9ed3b5a7091
 
(The unlinked packages above are only available from the Red Hat Network)
1298905 – CVE-2016-0738 openstack-swift: Proxy to server DoS through Large Objects1298924 – CVE-2016-0737 openstack-swift: Client to proxy DoS through Large Objects

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from: