Updated openstack-swift packages that fix two security issues are nowavailable for Red Hat Enterprise Linux OpenStack Platform 6.0 for RHEL 7.Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
OpenStack Object Storage (swift) provides object storage in virtualcontainers, which allows users to store and retrieve files (arbitrarydata). The service’s distributed architecture supports horizontal scaling;redundancy as failure-proofing is provided through software-based datareplication. Because Object Storage supports asynchronous eventualconsistency replication, it is well suited to multiple data-centerdeployment.A memory-leak issue was found in OpenStack Object Storage (swift), in theproxy-to-server connection. An OpenStack-authenticated attacker couldremotely trigger this flaw to cause denial of service through excess memoryconsumption. (CVE-2016-0738)A memory-leak issue was found in OpenStack Object Storage (swift), in theclient-to-proxy connection. An OpenStack-authenticated attacker couldremotely trigger this flaw to cause denial of service through excess memoryconsumption. (CVE-2016-0737)Red Hat would like to thank the OpenStack project for reporting these issues. Upstream acknowledges Romain Le Disez from OVH and Örjan Perssonfrom Kiliaro as the original reporters.All users of openstack-swift are advised to upgrade to these updatedpackages, which correct these issues. After installing this update, theOpenStack Object Storage services will be restarted automatically.
Red Hat OpenStack 6.0 for RHEL 7
MD5: 9aa41e7b49c6293935594d8d3bf45d86SHA-256: 2786e50f053f4dcb53f0ae941d54f3f6ee6976d51de329a864eaa9b41ab216f4
MD5: 66c17dd07ca9bd62a2a07d1f15b96042SHA-256: f80b255be42507f4fe10b7f1a0fd17de84942c8d3af95df1c1c20818a3c114fd
MD5: 7e097b737fddb50965a7855d5346340cSHA-256: 97b03508f7edd6c432d26cd199b2765d3003cf84f3aaa212c729ce866e1c26cd
MD5: 22cab2ace6a922241efc033173906c4cSHA-256: fffab203df81d30033f14c3b46ea5ba935518f5c2490190b7aaf43c1f793c66a
MD5: f0ddab4ddd9461ef8bbec0c7e6de4241SHA-256: ba5df2a953ad411fba328e32fc2474fe41a28c887cdefa03017b0e896cce67b1
MD5: 4f716b66f9342e1d78cc6a0583e4bd46SHA-256: 701a203c8a81e92ac1a3ef22b4ca620ae225e1f74de0730469b24b4243ac8e72
MD5: 80eb223ca1b072056a8f53f057d0a06bSHA-256: 07ba287ee3c90e8496fac3cdfd636ed229744f109da06f2850e353f510ffc6f1
(The unlinked packages above are only available from the Red Hat Network)
1298905 – CVE-2016-0738 openstack-swift: Proxy to server DoS through Large Objects1298924 – CVE-2016-0737 openstack-swift: Client to proxy DoS through Large Objects
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from: