CVEs related to bugs in OpenStack Object Storage (swift)

Open bugs

Bug CVE(s)
Bug #1409302: Use of GreenAsyncPile can lose txn_id logging CVE-2016-0738
OpenStack Object Storage (swift) In progress, assigned to janonymous
Bug #1529836: Fix deprecated library function (os.popen()). CVE-2016-0738
OpenStack Object Storage (swift) In progress, assigned to Harshada Mangesh Kakad
Bug #1655781: Swift object/proxy server writing Auth Token to log file (swauth) CVE-2017-16613
OpenStack Object Storage (swift) New (unassigned)

Resolved bugs

Bug CVE(s)
Bug #1006414: Insecure loads() CVE-2012-4406
OpenStack Object Storage (swift) Fix released, assigned to Vincent Untz
Bug #1177924: Use testr instead of nose as the unittest runner. CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Richard Hawkins
Bug #1183884: [OSSA 2013-016] Unescaped content embedded in XML (CVE-2013-2161) CVE-2013-2161
OpenStack Object Storage (swift) Fix released, assigned to Jeremy Stanley
Bug #1188189: Some server-side 'SSL' communication fails to check certificates (use of HTTPSConnection) CVE-2013-2255
OpenStack Object Storage (swift) Invalid (unassigned)
Bug #1196932: [OSSA 2013-022] Possibly DoS attack using object tombstones (CVE-2013-4155) CVE-2013-4155
OpenStack Object Storage (swift) Fix released, assigned to Peter Portante
Bug #1265665: [OSSA 2014-002] Possible timing attack against tempurl (CVE-2014-0006) CVE-2014-0006
OpenStack Object Storage (swift) Fix released (unassigned)
Bug #1327414: [OSSA 2014-020] www-authenticate value isn't quoted (CVE-2014-3497) CVE-2014-3497
OpenStack Object Storage (swift) Fix released, assigned to John Dickinson
Bug #1419901: container-sync checks invalid ClientException CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Eran Rom
Bug #1419916: Container-sync doesn't timeout when putting/deleting object CVE-2015-1856
OpenStack Object Storage (swift) Fix released, assigned to Christian Schwede
Bug #1425679: swift-object-info should try harder on tombstones CVE-2015-1856
OpenStack Object Storage (swift) Fix released, assigned to Ricardo Ferreira
Bug #1428866: swift-object-info display for sysmeta CVE-2015-1856
OpenStack Object Storage (swift) Fix released, assigned to Kamil Rykowski
Bug #1430645: [OSSA 2015-006] unauthorized delete from container with x-version-location (CVE-2015-1856) CVE-2015-1856
OpenStack Object Storage (swift) Fix released (unassigned)
Bug #1434465: Tempauth Fails with Authorization Header CVE-2015-1856
OpenStack Object Storage (swift) Fix released (unassigned)
Bug #1437442: v1 in the API url seems to be a placeholder CVE-2015-1856
OpenStack Object Storage (swift) Fix released, assigned to John Dickinson
Bug #1438579: swift-ring-builder - empty device name CVE-2015-1856
OpenStack Object Storage (swift) Fix released, assigned to Christian Schwede
Bug #1441599: test_policy_IO_override from test.unit.proxy.test_server.TestObjectController randomly fails CVE-2015-1856
OpenStack Object Storage (swift) Fix released, assigned to Mike Fedosin
Bug #1444327: String not translatable in swift/common/manager.py CVE-2015-1856
OpenStack Object Storage (swift) Fix released, assigned to Andreas Jaeger
Bug #1449212: Container level temp URLs can unintentionally leak data. CVE-2015-5223
OpenStack Object Storage (swift) Fix released (unassigned)
Bug #1453807: Post (not as copy) to SLO manifest destroys its state as a manifest CVE-2015-5223
OpenStack Object Storage (swift) Fix released, assigned to Kota Tsuyuzaki
Bug #1453948: [OSSA 2015-016] all PUT tempurls leak existence via DLO manifest attack (CVE-2015-5223) CVE-2015-5223
OpenStack Object Storage (swift) Fix released (unassigned)
Bug #1457262: handoffs_first should log warning CVE-2015-5223
OpenStack Object Storage (swift) Fix released, assigned to Pradeep Kumar Singh
Bug #1457691: node timeout on overwrite can easily cause mis-matched etag fragment to 503 CVE-2015-5223
OpenStack Object Storage (swift) Fix released, assigned to paul luse
Bug #1466549: [OSSA 2016-004] Download DLO objects leak connections when client kill connection (CVE-2016-0737) CVE-2016-0737
CVE-2016-0738
OpenStack Object Storage (swift) Fix released (unassigned)
Bug #1467677: Server side copy with Single Ranged read not working with Erasure Coded Data CVE-2015-5223
OpenStack Object Storage (swift) Fix released, assigned to Kota Tsuyuzaki
Bug #1468120: disparsion-reports fails by HTTP_Error CVE-2015-5223
OpenStack Object Storage (swift) Fix released, assigned to Kazuhiro MIYAHARA
Bug #1468298: Reconstructor remaining time is incorrect, because total jobs number is increase continually CVE-2015-5223
OpenStack Object Storage (swift) Fix released, assigned to Charles Hsu
Bug #1468374: swift dispersion does not support keystone auth v3 CVE-2015-5223
OpenStack Object Storage (swift) Fix released, assigned to Falk Reimann
Bug #1469951: swift-object-info uses wrong policy for calculating while no full data path in the coomand CVE-2015-5223
OpenStack Object Storage (swift) Fix released, assigned to Daisuke Morita
Bug #1470576: mount_check does not prevent writing to root mount CVE-2015-5223
OpenStack Object Storage (swift) Fix released, assigned to Ben Martin
Bug #1472201: EC GET makes a "Client disconnected on read" warning CVE-2015-5223
OpenStack Object Storage (swift) Fix released, assigned to Kota Tsuyuzaki
Bug #1475499: EC: proxy server returns wrong response on range GET CVE-2015-5223
OpenStack Object Storage (swift) Fix released, assigned to Daisuke Morita
Bug #1476623: Excessive resource consumption looking for containers to sync CVE-2015-5223
CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Eran Rom
Bug #1477283: project_id and user_id are empty in ceilometer storage.objects.outgoing.bytes for dlo objects CVE-2015-5223
OpenStack Object Storage (swift) Fix released, assigned to Clément Contini
Bug #1477877: Fix six typos on swift documentation CVE-2015-5223
OpenStack Object Storage (swift) Fix released, assigned to Atsushi SAKAI
Bug #1479972: HUP signal doesn't shutdown wsgi servers CVE-2015-5223
OpenStack Object Storage (swift) Fix released (unassigned)
Bug #1481623: Shebang of several commands is "#!/usr/bin/python" CVE-2015-5223
OpenStack Object Storage (swift) Fix released, assigned to kenichiro matsuda
Bug #1482096: swift-ring-builder sometimes uses .builder file when given .ring.gz and vice versa CVE-2015-5223
OpenStack Object Storage (swift) Fix released, assigned to Christian Schwede
Bug #1483705: testCopyDestinationSlashProblems functional test fails CVE-2015-5223
OpenStack Object Storage (swift) Fix released (unassigned)
Bug #1484565: "Quorum" on durable response is too low CVE-2015-5223
OpenStack Object Storage (swift) Fix released, assigned to Bill Huber
Bug #1488704: FakeRing does fake get_part anymore CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Aniruddha Singh Gautam
Bug #1489587: Reconstruction error CVE-2015-5223
OpenStack Object Storage (swift) Fix released (unassigned)
Bug #1489749: staticweb middleware ignores acl and breaks clients CVE-2015-5249
OpenStack Object Storage (swift) Fix released, assigned to Christian Schwede
Bug #1493303: [OSSA 2016-004] Swift proxy memory leak on unfinished read (CVE-2016-0738) CVE-2016-0737
CVE-2016-0738
OpenStack Object Storage (swift) Fix released (unassigned)
Bug #1526017: expose time remaining in min_part_hours CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Ben Martin
Bug #1526575: *LO subrequests don't pass on the referer or req.acl on CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Matthew Oliver
Bug #1526588: Reconciler unit test fails in non-UTC time zone CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Kota Tsuyuzaki
Bug #1526697: Typo in Deployment Guide CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Mingyu Li
Bug #1526725: tox -e func -- --until-failure does not work CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Alistair Coles
Bug #1528189: auth_prefix option in tempauth middleware does not work CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Christopher Bartz
Bug #1529321: AttributeError: 'LogAdapter' object has no attribute 'warn' CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to ChangBo Guo(gcb)
Bug #1531173: write_affinity stores only replica counts in local region. The write_affinity_node_count has no effect CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Hugo Kou
Bug #1532126: PUT X-Copy-From with Range violates RFC7233 CVE-2016-0738
OpenStack Object Storage (swift) Fix released (unassigned)
Bug #1532276: ring device holes not reused CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Paul Dardeau
Bug #1532471: invalid x-timestamp causes 500 CVE-2016-0738
OpenStack Object Storage (swift) Fix released (unassigned)
Bug #1533002: object-auditor skips EC fragments CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Tim Burke
Bug #1533768: inconsistent types returned for metadata CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Richard Hawkins
Bug #1534276: inconsistent suffix hashes after ssync replication of a tombstone CVE-2016-0738
OpenStack Object Storage (swift) Fix released (unassigned)
Bug #1534303: Slowdown on PUT with write-affinity on and zero-weight zone CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Samuel Merritt
Bug #1534325: remove jerasure from swift docs CVE-2016-0738
OpenStack Object Storage (swift) Fix released (unassigned)
Bug #1536037: fast-post broken with object mem server CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Alistair Coles
Bug #1536067: Duplicated code CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Béla Vancsics
Bug #1537042: versioned_writes middleware is mis-placed in proxy pipeline CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Alistair Coles
Bug #1538834: max_large_object_get_time is not used CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Larry Rensing
Bug #1540884: Object copied by container-sync may have older timestamp than source CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Alistair Coles
Bug #1541491: recon not contacting all hosts when using storage policies CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Christopher Bartz
Bug #1542168: EC: Accept-Range missing in EC GET response CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Kota Tsuyuzaki
Bug #1542227: docs and sample config wrongly suggest that default log_statsd_host is localhost CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Gage Hugo
Bug #1546865: older PUT than tombstone creates .data file CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Kota Tsuyuzaki
Bug #1550067: test_object_delete_at_aysnc_update is misnamed. CVE-2016-0738
OpenStack Object Storage (swift) Fix released, assigned to Ben Keller