Security update for openstack-swift

SUSE Security Update: Security update for openstack-swift
Announcement ID: SUSE-SU-2014:0547-1
Rating: moderate
References: #858459
Affected Products:
  • SUSE Cloud 3

  • An update that fixes one vulnerability is now available.


    A timing attack vulnerability has been fixed in
    openstack-swift, namely in the Swift TempURL middleware.

    By analyzing response times to arbitrary TempURL requests,
    an attacker may be able to guess valid secret URLs and get
    access to objects that were only intended to be publicly
    shared with specific recipients. In order to use this
    attack, the attacker needs to know the targeted object
    name, and the object account needs to have a TempURL key
    set. Only Swift setups enabling the TempURL middleware are

    Security Issue reference:

    * CVE-2014-0006

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Cloud 3:
      zypper in -t patch sleclo30sp3-openstack-swift-8959

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Cloud 3 (x86_64):
    • openstack-swift-1.10.0-0.13.2
    • openstack-swift-account-1.10.0-0.13.2
    • openstack-swift-container-1.10.0-0.13.2
    • openstack-swift-object-1.10.0-0.13.2
    • openstack-swift-proxy-1.10.0-0.13.2
    • python-swift-1.10.0-0.13.2
    • SUSE Cloud 3 (noarch):
    • openstack-swift-doc-1.10.0+git.1382343573.79e2a50-0.13.3