OpenStack Object Storage (swift)

CVEs related to bugs in OpenStack Object Storage (swift)

Open bugs

Bug	CVE(s)
Bug #1409302: Use of GreenAsyncPile can lose txn_id logging	CVE-2016-0738
OpenStack Object Storage (swift)	In progress, assigned to janonymous
Bug #1529836: Fix deprecated library function (os.popen()).	CVE-2016-0738
OpenStack Object Storage (swift)	In progress, assigned to Harshada Mangesh Kakad

Resolved bugs

Bug	CVE(s)
Bug #1006414: Insecure loads()	CVE-2012-4406
OpenStack Object Storage (swift)	Fix released, assigned to Vincent Untz
Bug #1177924: Use testr instead of nose as the unittest runner.	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Richard Hawkins
Bug #1183884: [OSSA 2013-016] Unescaped content embedded in XML (CVE-2013-2161)	CVE-2013-2161
OpenStack Object Storage (swift)	Fix released, assigned to Jeremy Stanley
Bug #1188189: Some server-side 'SSL' communication fails to check certificates (use of HTTPSConnection)	CVE-2013-2255
OpenStack Object Storage (swift)	Invalid (unassigned)
Bug #1196932: [OSSA 2013-022] Possibly DoS attack using object tombstones (CVE-2013-4155)	CVE-2013-4155
OpenStack Object Storage (swift)	Fix released, assigned to Peter Portante
Bug #1265665: [OSSA 2014-002] Possible timing attack against tempurl (CVE-2014-0006)	CVE-2014-0006
OpenStack Object Storage (swift)	Fix released (unassigned)
Bug #1327414: [OSSA 2014-020] www-authenticate value isn't quoted (CVE-2014-3497)	CVE-2014-3497
OpenStack Object Storage (swift)	Fix released, assigned to John Dickinson
Bug #1419901: container-sync checks invalid ClientException	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Eran Rom
Bug #1419916: Container-sync doesn't timeout when putting/deleting object	CVE-2015-1856
OpenStack Object Storage (swift)	Fix released, assigned to Christian Schwede
Bug #1425679: swift-object-info should try harder on tombstones	CVE-2015-1856
OpenStack Object Storage (swift)	Fix released, assigned to Ricardo Ferreira
Bug #1428866: swift-object-info display for sysmeta	CVE-2015-1856
OpenStack Object Storage (swift)	Fix released, assigned to Kamil Rykowski
Bug #1430645: [OSSA 2015-006] unauthorized delete from container with x-version-location (CVE-2015-1856)	CVE-2015-1856
OpenStack Object Storage (swift)	Fix released (unassigned)
Bug #1434465: Tempauth Fails with Authorization Header	CVE-2015-1856
OpenStack Object Storage (swift)	Fix released (unassigned)
Bug #1437442: v1 in the API url seems to be a placeholder	CVE-2015-1856
OpenStack Object Storage (swift)	Fix released, assigned to John Dickinson
Bug #1438579: swift-ring-builder - empty device name	CVE-2015-1856
OpenStack Object Storage (swift)	Fix released, assigned to Christian Schwede
Bug #1441599: test_policy_IO_override from test.unit.proxy.test_server.TestObjectController randomly fails	CVE-2015-1856
OpenStack Object Storage (swift)	Fix released, assigned to Mike Fedosin
Bug #1444327: String not translatable in swift/common/manager.py	CVE-2015-1856
OpenStack Object Storage (swift)	Fix released, assigned to Andreas Jaeger
Bug #1449212: Container level temp URLs can unintentionally leak data.	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released (unassigned)
Bug #1453807: Post (not as copy) to SLO manifest destroys its state as a manifest	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released, assigned to Kota Tsuyuzaki
Bug #1453948: [OSSA 2015-016] all PUT tempurls leak existence via DLO manifest attack (CVE-2015-5223)	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released (unassigned)
Bug #1457262: handoffs_first should log warning	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released, assigned to Pradeep Kumar Singh
Bug #1457691: node timeout on overwrite can easily cause mis-matched etag fragment to 503	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released, assigned to paul luse
Bug #1466549: [OSSA 2016-004] Download DLO objects leak connections when client kill connection (CVE-2016-0737)	CVE-2016-0737 CVE-2016-0738
OpenStack Object Storage (swift)	Fix released (unassigned)
Bug #1467677: Server side copy with Single Ranged read not working with Erasure Coded Data	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released, assigned to Kota Tsuyuzaki
Bug #1468120: disparsion-reports fails by HTTP_Error	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released, assigned to Kazuhiro MIYAHARA
Bug #1468298: Reconstructor remaining time is incorrect, because total jobs number is increase continually	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released, assigned to Charles Hsu
Bug #1468374: swift dispersion does not support keystone auth v3	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released, assigned to Falk Reimann
Bug #1469951: swift-object-info uses wrong policy for calculating while no full data path in the coomand	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released, assigned to Daisuke Morita
Bug #1470576: mount_check does not prevent writing to root mount	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released, assigned to Ben Martin
Bug #1472201: EC GET makes a "Client disconnected on read" warning	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released, assigned to Kota Tsuyuzaki
Bug #1475499: EC: proxy server returns wrong response on range GET	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released, assigned to Daisuke Morita
Bug #1476623: Excessive resource consumption looking for containers to sync	CVE-2015-5223 CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Eran Rom
Bug #1477283: project_id and user_id are empty in ceilometer storage.objects.outgoing.bytes for dlo objects	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released, assigned to Clément Contini
Bug #1477877: Fix six typos on swift documentation	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released, assigned to Atsushi SAKAI
Bug #1479972: HUP signal doesn't shutdown wsgi servers	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released (unassigned)
Bug #1481623: Shebang of several commands is "#!/usr/bin/python"	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released, assigned to kenichiro matsuda
Bug #1482096: swift-ring-builder sometimes uses .builder file when given .ring.gz and vice versa	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released, assigned to Christian Schwede
Bug #1483705: testCopyDestinationSlashProblems functional test fails	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released (unassigned)
Bug #1484565: "Quorum" on durable response is too low	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released, assigned to Bill Huber
Bug #1488704: FakeRing does fake get_part anymore	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Aniruddha Singh Gautam
Bug #1489587: Reconstruction error	CVE-2015-5223
OpenStack Object Storage (swift)	Fix released (unassigned)
Bug #1489749: staticweb middleware ignores acl and breaks clients	CVE-2015-5249
OpenStack Object Storage (swift)	Fix released, assigned to Christian Schwede
Bug #1493303: [OSSA 2016-004] Swift proxy memory leak on unfinished read (CVE-2016-0738)	CVE-2015-5223 CVE-2016-0737 CVE-2016-0738
OpenStack Object Storage (swift)	Fix released (unassigned)
Bug #1526017: expose time remaining in min_part_hours	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Ben Martin
Bug #1526575: *LO subrequests don't pass on the referer or req.acl on	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Matthew Oliver
Bug #1526588: Reconciler unit test fails in non-UTC time zone	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Kota Tsuyuzaki
Bug #1526697: Typo in Deployment Guide	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Mingyu Li
Bug #1526725: tox -e func -- --until-failure does not work	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Alistair Coles
Bug #1528189: auth_prefix option in tempauth middleware does not work	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Christopher Bartz
Bug #1529321: AttributeError: 'LogAdapter' object has no attribute 'warn'	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to ChangBo Guo(gcb)
Bug #1531173: write_affinity stores only replica counts in local region. The write_affinity_node_count has no effect	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Hugo Kou
Bug #1532126: PUT X-Copy-From with Range violates RFC7233	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released (unassigned)
Bug #1532276: ring device holes not reused	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Paul Dardeau
Bug #1532471: invalid x-timestamp causes 500	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released (unassigned)
Bug #1533002: object-auditor skips EC fragments	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Tim Burke
Bug #1533768: inconsistent types returned for metadata	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Richard Hawkins
Bug #1534276: inconsistent suffix hashes after ssync replication of a tombstone	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released (unassigned)
Bug #1534303: Slowdown on PUT with write-affinity on and zero-weight zone	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Samuel Merritt
Bug #1534325: remove jerasure from swift docs	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released (unassigned)
Bug #1536037: fast-post broken with object mem server	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Alistair Coles
Bug #1536067: Duplicated code	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Béla Vancsics
Bug #1537042: versioned_writes middleware is mis-placed in proxy pipeline	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Alistair Coles
Bug #1538834: max_large_object_get_time is not used	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Larry Rensing
Bug #1540884: Object copied by container-sync may have older timestamp than source	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Alistair Coles
Bug #1541491: recon not contacting all hosts when using storage policies	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Christopher Bartz
Bug #1542168: EC: Accept-Range missing in EC GET response	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Kota Tsuyuzaki
Bug #1542227: docs and sample config wrongly suggest that default log_statsd_host is localhost	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Gage Hugo
Bug #1546865: older PUT than tombstone creates .data file	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Kota Tsuyuzaki
Bug #1550067: test_object_delete_at_aysnc_update is misnamed.	CVE-2016-0738
OpenStack Object Storage (swift)	Fix released, assigned to Ben Keller
Bug #1655781: Swift object/proxy server writing Auth Token to log file (swauth)	CVE-2017-16613
OpenStack Object Storage (swift)	Invalid (unassigned)
Bug #1685798: Swift tempurl middleware reveals signatures in the logfiles (CVE-2017-8761)	CVE-2017-8761
OpenStack Object Storage (swift)	Fix released, assigned to Christian Schwede
Bug #1998625: [OSSA-2023-001] Arbitrary file access through custom S3 XML entities (CVE-2022-47950)	CVE-2022-47950
OpenStack Object Storage (swift)	Fix released, assigned to Tim Burke