[Secure-testing-team] Bug#822688: CVE-2015-8466: replay attack - date/date header unvalidated
Ondřej Nový
novy at ondrej.org
Tue Apr 26 15:56:44 UTC 2016
Package: swift-plugin-s3
Version: 1.7-5
Severity: normal
Tags: security
https://review.openstack.org/#/c/255067/6
Fix date validation
According to [1] when an Authorization header is specified, either a
Date or x-amz-date header needs to be specified, with the x-amz-date
header taking precedence.
Now, the x-amz-date header is validated first, and if both headers are
missing, an AccessDenied error should be returned. This should prevent
replay attacks occurring on valid requests that are missing the Date
header.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.5.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
More information about the Secure-testing-team
mailing list