Comment 47 for bug 1493303

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote : Re: Swift proxy memory leak on unfinished read

Here is the final impact description for both bug 1493303 and bug 1466549,
If it's accurate, I'd like to send the advance notification asap with a disclosure date set to:
2016-01-20, 1500UTC

Title: Swift proxy-server DoS through Large Object
Reporter: Romain LE DISEZ (OVH), Örjan Persson (Kiliaro)
Products: Swift
Affects: client to proxy: >=2.2.1 <= 2.3.0
         proxy to server: >=2.2.1 <= 2.3.0, >= 2.4.0 <= 2.5.0

Romain LE DISEZ from OVH and Örjan Persson from Kiliaro independently
reported two vulnerabilities in Swift Large Object. By repeatedly
requesting and interrupting connections to a Large Object (Dynamic or
Static) URL, a remote attacker may exhausts Swift proxy-server
resources, potentially resulting in a denial of service. Note that there
are two distinct bugs that can exhaust proxy resources, one for client
connection (client to proxy), one for servers connection (proxy to
server). All Swift setup are affected.