—

PYSEC-2016-34

Details

The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / tripleo-heat-templates

Introduced in: 0 Fixed in: 0.8.7

Fix pip install --upgrade 'tripleo-heat-templates>=0.8.7'

References

https://access.redhat.com/errata/RHSA-2015:1862 [ADVISORY]
https://bugs.launchpad.net/tripleo/+bug/1494896 [WEB]
https://bugzilla.redhat.com/show_bug.cgi?id=1261697 [REPORT]
https://launchpadlibrarian.net/217268516/CVE-2015-5271_puppet-swift.patch [WEB]
https://github.com/advisories/GHSA-8936-44gw-7664 [ADVISORY]