-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 31 Oct 2025 01:49:35 +0100
Source: swift
Architecture: source
Version: 2.35.1-0+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1120057
Changes:
swift (2.35.1-0+deb13u1) trixie-security; urgency=medium
.
* New upstream point release:
This new point release adds the feature to allow the use of aws-chunked
transfer encoding. This is important because most S3 clients are using the
boto library that has dropped support for any other protocol. This
upstream point release contains only that change, which is minimal and
will not affect any deployment other than accepting aws-chunked transfer.
* Blacklist 2 unit tests that require isal lib to be installed:
- test_sig_v4_strm_unsgnd_pyld_trl_checksum_hdr_unsupported
- test_get_checksum_hasher
* OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from
a presigned S3 URL), an unauthenticated attacker may obtain Keystone
authorization (ec2tokens can yield a fully scoped token; s3tokens can
reveal scope accepted by some services), resulting in unauthorized access
and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens
are reachable by unauthenticated clients (e.g., exposed on a public API)
are affected.
Swift needs to be modified to accept the fix for Keystone, otherwise S3
authentication will stop working.
Deployers are advised to update Swift first, as the patched swift will work
with unpatched keystone, while the opposite isn't true.
Applied upstream patch (Closes: #1120057):
Add bug-2119646-swift.patch, which offers swift side compatibility with the
keystone fix.
Checksums-Sha1:
1ffa8390af692a32b0a3001e88f254f63ea96536 3165 swift_2.35.1-0+deb13u1.dsc
5dc7039ecfd608a05ec987bfe49cc2fb6f587148 2706568 swift_2.35.1.orig.tar.xz
8e763a049c892377e900ace91cd5ef562d189d80 32028 swift_2.35.1-0+deb13u1.debian.tar.xz
5c56af8a38a9d9682f318ec0d5a5c48d885746c7 14603 swift_2.35.1-0+deb13u1_amd64.buildinfo
Checksums-Sha256:
b7aef7b085aa0013b370e474a4a57e02484afd1edc755f4a45e575ec8cae7a3b 3165 swift_2.35.1-0+deb13u1.dsc
ee2bba0d77ce5bccc04db93d531ddd65ee092a1ce1070b0995f1ca8f7a3a5beb 2706568 swift_2.35.1.orig.tar.xz
29f473ee52bfce85239cf7b3dc7160ef3560a7253c391f14edd11865b1373104 32028 swift_2.35.1-0+deb13u1.debian.tar.xz
d2c5519a2a0e7599c7124b421f3e18caa55f001fe38464ba057e634596782cb1 14603 swift_2.35.1-0+deb13u1_amd64.buildinfo
Files:
ec0165efc0c28df1f3e7da4c76ae2df9 3165 net optional swift_2.35.1-0+deb13u1.dsc
0fe9e0f72d050292fb9182633c9462af 2706568 net optional swift_2.35.1.orig.tar.xz
fa77d063c2a6fe4860f3fec26e860e05 32028 net optional swift_2.35.1-0+deb13u1.debian.tar.xz
ad3f97cce58dfbf48baf00d5605476e9 14603 net optional swift_2.35.1-0+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmkS7bAACgkQ1BatFaxr
Q/7G+w//UOFZPHtZy2Q6mujhFbflwwe7JOdRBesJ+ahOsDm5jHqQZQSj40r/0aDz
axtqTE3QVWcgT63CDddA2AngiIjAMc4FWYOt39GAoOnvjz3u3dODAW6ExQkZLSDn
CBB+k+Slp+5s9NAlSY9nQIcvr8NBN0DB7RiyoyxV1HSWDFZD5XQZwq20c9heVkAw
XYtiuU82C34mni+Nnqc9EUpfxxhIERHB1fXyezRQf+j/Cdglh7hUhtM3BEBH9OxT
/BisMs0BuXD8M6Vs727CFu7YgXeRjECpIhOw/3Up8stkKmd5bcYXH4gRFY9RYC6s
oCPG6j2t1cAOMO1Y15V/M/XYq6vORzBF/HVwkwUVm8lBrOqGFuP6nMBz6uLsWZhm
4MbLSAwfnzJWf3+9htsvDiMjvqMIq5KxoDTYGyfNnfd89LKbGi2khOgL8QbFJ0la
b3EtVTg+wIhtek+zBT24bEmipNn7mrc7OYnRJ0RIkMLK8VZ2gMtuXcnLI9DhQs22
4mzhfEghwMS8rul9j7djgtBN2XdD0ttCBoqLWqFnfX/TS9oaHA5rei/yCOZ6w021
Gt8O63Aw0E82dCGKju6RebUldWg2NnwYxMtKrBtxaDtd+8758yQQwQNk9on5K5P2
ZQP9N/2625D+FeES2fE++bFC+UMoM5FBheaOWl4Cf98J9ldcmFc=
=oKCX
-----END PGP SIGNATURE-----
Attachment:
pgp6_zFjTaPff.pgp
Description: PGP signature