On 2015-09-18 12:38, Thomas Goirand wrote:
- User creation was done in a non-OpenStack package standard way,
namely
missing the --disabled-login option.
I'm confused by this description. Your suggested change *removes*
--disabled-login, whereas the description implies that the problem was
that it was missing.
- On removal, the package was calling userdel, which I consider
dangerous
(potential reuse of the UUID).
- On purge, /var/cache/swift wasn't removed.
Ok.
- The swift-container-sync init script wasn't installed.
As far as I can see, that description is rather incomplete. The init
script wasn't "not installed", it wasn't in the package at all.
What's the function of swift-container-sync? Why is it important that
the init script is added in stable?
More importantly, there's 2 CVEs which needs to be fixed:
- CVE-2015-1856 & OSSA 2015-006: Unauthorized delete of versioned Swift
object.
- CVE-2015-5223: Information leak via Swift tempurls.
The above CVEs were considered not critical enough by the security team
to deserve a DSA, though they still deserve fixing.
Those look fine, thanks.
Regards,
Adam
