Upstream reported the below vulnerability in OpenStack: """ Title: Unauthorized delete of versioned Swift object Reporter: Clay Gerrard (SwiftStack) Products: Swift Affects: up to version 2.2.2 Description: Clay Gerrard from SwiftStack reported a vulnerability in Swift object versioning. An authenticated user can delete the most recent version of any versioned object who's name is known if the user have listing access to the x-versions-location container. Only Swift setups with allow_version setting are affected. """ Acknowledgements: Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Clay Gerrard of SwiftStack as the original reporter.
Created attachment 1013074 [details] cve-2015-1856-master-kilo.patch
Created attachment 1013075 [details] cve-2015-1856-stable-icehouse.patch
Created attachment 1013076 [details] cve-2015-1856-stable-juno.patch
Created openstack-swift tracking bugs for this issue: Affects: fedora-all [bug 1246358] Affects: openstack-rdo [bug 1246360]
This issue has been addressed in the following products: OpenStack 6 for RHEL 7 Via RHSA-2015:1681 https://rhn.redhat.com/errata/RHSA-2015-1681.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 OpenStack 5 for RHEL 7 Via RHSA-2015:1684 https://rhn.redhat.com/errata/RHSA-2015-1684.html
This issue has been addressed in the following products: Red Hat Gluster Storage 3.1 for RHEL 6 Native Client for RHEL 6 for Red Hat Storage Via RHSA-2015:1845 https://rhn.redhat.com/errata/RHSA-2015-1845.html
This issue has been addressed in the following products: Red Hat Gluster Storage 3.1 for RHEL 7 Native Client for RHEL 7 for Red Hat Storage Via RHSA-2015:1846 https://rhn.redhat.com/errata/RHSA-2015-1846.html