2015-05-11 20:25:31 |
clayg |
bug |
|
|
added bug |
2015-05-11 20:25:31 |
clayg |
attachment added |
|
show how to use any PUT tempurl to probe for object/container existance https://bugs.launchpad.net/bugs/1453948/+attachment/4395824/+files/put-tempurl-dlo-leak.patch |
|
2015-05-11 20:37:09 |
clayg |
bug |
|
|
added subscriber Richard Hawkins |
2015-05-12 01:09:24 |
Tristan Cacqueray |
bug task added |
|
ossa |
|
2015-05-12 01:09:31 |
Tristan Cacqueray |
ossa: status |
New |
Confirmed |
|
2015-05-12 01:09:54 |
Tristan Cacqueray |
ossa: importance |
Undecided |
Medium |
|
2015-05-14 13:56:05 |
Jeremy Stanley |
ossa: status |
Confirmed |
Incomplete |
|
2015-06-12 23:50:17 |
John Dickinson |
swift: status |
New |
Confirmed |
|
2015-06-23 02:33:08 |
clayg |
attachment added |
|
400 PUT tempurls that have a x-object-manifest header https://bugs.launchpad.net/swift/+bug/1453948/+attachment/4418957/+files/fix-tempurl-dlo-surprise.patch |
|
2015-06-29 14:31:43 |
Jeremy Stanley |
bug |
|
|
added subscriber Swift Core security contacts |
2015-06-29 14:42:04 |
Tristan Cacqueray |
bug |
|
|
added subscriber OSSG CoreSec |
2015-07-24 04:16:58 |
Kota Tsuyuzaki |
attachment added |
|
fix-tempurl-for-clayg.diff https://bugs.launchpad.net/ossa/+bug/1453948/+attachment/4433373/+files/fix-tempurl-for-clayg.diff |
|
2015-07-24 05:39:28 |
clayg |
attachment added |
|
fix-patch-for-kota.patch https://bugs.launchpad.net/swift/+bug/1453948/+attachment/4433396/+files/fix-patch-for-kota.patch |
|
2015-07-27 04:11:50 |
John Dickinson |
description |
If you get a PUT tempurl you can use DLO's to find objects in the container, or in the account.
If you are allowed to upload a DLO via PUT tempurl and the application that generated the tempurl believes it safe to generate a GET tempurl for the data they just authorized you to upload - they may accidentally authorize you to download any previously discovered data.
We should now allow uses to PUT DLO's via tempurl - it's currently insecure because of the existence leak attack; and can be difficult to reason about safely for application authors generating tempurls. |
If you get a PUT tempurl you can use DLO's to find objects in the container, or in the account.
If you are allowed to upload a DLO via PUT tempurl and the application that generated the tempurl believes it safe to generate a GET tempurl for the data they just authorized you to upload - they may accidentally authorize you to download any previously discovered data.
We should not allow uses to PUT DLO's via tempurl - it's currently insecure because of the existence leak attack; and can be difficult to reason about safely for application authors generating tempurls. |
|
2015-07-29 07:52:15 |
John Dickinson |
attachment added |
|
tempurl.patch https://bugs.launchpad.net/swift/+bug/1453948/+attachment/4435635/+files/tempurl.patch |
|
2015-07-29 17:29:14 |
John Dickinson |
attachment added |
|
juno-tempurl-bp.patch https://bugs.launchpad.net/swift/+bug/1453948/+attachment/4435840/+files/juno-tempurl-bp.patch |
|
2015-07-29 17:29:47 |
John Dickinson |
attachment added |
|
kilo-tempurl-bp.patch https://bugs.launchpad.net/swift/+bug/1453948/+attachment/4435842/+files/kilo-tempurl-bp.patch |
|
2015-07-29 17:31:00 |
John Dickinson |
swift: importance |
Undecided |
Critical |
|
2015-08-05 11:06:15 |
Alistair Coles |
attachment added |
|
anc-tempurl-dlo-POST-regression https://bugs.launchpad.net/swift/+bug/1453948/+attachment/4439702/+files/anc-tempurl-dlo-POST-regression |
|
2015-08-05 11:14:36 |
Alistair Coles |
attachment added |
|
anc-tempurl-dlo-POST-test https://bugs.launchpad.net/swift/+bug/1453948/+attachment/4439705/+files/anc-tempurl-dlo-POST-test |
|
2015-08-17 14:48:17 |
Tristan Cacqueray |
ossa: status |
Incomplete |
Triaged |
|
2015-08-17 14:48:19 |
Tristan Cacqueray |
ossa: assignee |
|
Tristan Cacqueray (tristan-cacqueray) |
|
2015-08-19 20:29:04 |
Tristan Cacqueray |
ossa: status |
Triaged |
In Progress |
|
2015-08-19 21:12:27 |
Tristan Cacqueray |
summary |
all PUT tempurls leak existence via DLO manifest attack |
all PUT tempurls leak existence via DLO manifest attack (CVE-2015-5223) |
|
2015-08-19 21:12:38 |
Tristan Cacqueray |
cve linked |
|
2015-5223 |
|
2015-08-20 10:30:29 |
Alistair Coles |
bug |
|
|
added subscriber Gerry Drudy |
2015-08-20 19:11:07 |
Tristan Cacqueray |
ossa: status |
In Progress |
Fix Committed |
|
2015-08-26 15:00:54 |
Tristan Cacqueray |
information type |
Private Security |
Public Security |
|
2015-08-26 15:40:40 |
Tristan Cacqueray |
summary |
all PUT tempurls leak existence via DLO manifest attack (CVE-2015-5223) |
[OSSA 2015-016] all PUT tempurls leak existence via DLO manifest attack (CVE-2015-5223) |
|
2015-08-27 09:32:46 |
OpenStack Infra |
tags |
|
in-stable-juno |
|
2015-08-27 10:26:30 |
OpenStack Infra |
swift: status |
Confirmed |
Fix Committed |
|
2015-08-27 12:44:14 |
OpenStack Infra |
tags |
in-stable-juno |
in-stable-juno in-stable-kilo |
|
2015-09-01 12:25:22 |
Thierry Carrez |
swift: status |
Fix Committed |
Fix Released |
|
2015-09-01 12:25:22 |
Thierry Carrez |
swift: milestone |
|
2.4.0 |
|
2015-09-03 21:31:09 |
OpenStack Infra |
tags |
in-stable-juno in-stable-kilo |
in-feature-crypto in-stable-juno in-stable-kilo |
|
2015-09-08 12:15:27 |
Tristan Cacqueray |
ossa: status |
Fix Committed |
Fix Released |
|
2015-09-08 20:44:25 |
OpenStack Infra |
tags |
in-feature-crypto in-stable-juno in-stable-kilo |
in-feature-crypto in-feature-hummingbird in-stable-juno in-stable-kilo |
|