Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted swift 2.36.0-5 (source) into unstable
Date: Tue, 04 Nov 2025 16:34:30 +0000
Signed by: Thomas Goirand <zigo@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 31 Oct 2025 01:39:14 +0100
Source: swift
Architecture: source
Version: 2.36.0-5
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1120057
Changes:
 swift (2.36.0-5) unstable; urgency=high
 .
   * Refreshed patches.
   * OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
     s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from
     a presigned S3 URL), an unauthenticated attacker may obtain Keystone
     authorization (ec2tokens can yield a fully scoped token; s3tokens can
     reveal scope accepted by some services), resulting in unauthorized access
     and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens
     are reachable by unauthenticated clients (e.g., exposed on a public API)
     are affected.
     Swift needs to be modified to accept the fix for Keystone, otherwise S3
     authentication will stop working.
     Deployers are advised to update Swift first, as the patched swift will work
     with unpatched keystone, while the opposite isn't true.
     Applied upstream patch (Closes: #1120057):
     Add bug-2119646-swift.patch, which offers swift side compatibility with the
     keystone fix.
Checksums-Sha1:
 2996ed727f9438a5a39e030ce639c6e8224b63e1 3133 swift_2.36.0-5.dsc
 c564504c8fcd5813e227bbb27852bf3c125d02b4 32248 swift_2.36.0-5.debian.tar.xz
 5285305203933952bd80e7d05919697adaa23168 13901 swift_2.36.0-5_amd64.buildinfo
Checksums-Sha256:
 23797979586e1d863756e305e94a754da7f7d017cf15832050667a59aad74ca1 3133 swift_2.36.0-5.dsc
 781182f81be464da3cb6ac0ad3f770667d99239e84ce38b5cc517db2cd8d374c 32248 swift_2.36.0-5.debian.tar.xz
 1b760be7c7d4e6678d48f6fd4e794636c2d0bb6fba7f25394d036b96fdd7d43c 13901 swift_2.36.0-5_amd64.buildinfo
Files:
 488b6577d5676b2e303fdda1aec90170 3133 net optional swift_2.36.0-5.dsc
 8719d35d6dd92d766fa28fb33a395b2f 32248 net optional swift_2.36.0-5.debian.tar.xz
 f56bf05e4cf6860c6a33f4ecc9bb1f65 13901 net optional swift_2.36.0-5_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmkKJUEACgkQ1BatFaxr
Q/76KQ//bAuDj+/kVoxmgWl/8UHuPGFLCOH9iHzV5gqnQ15sHxDtJbG4XQSgk3YU
cSaUm3UAx56Q0BrFa1/sDaNbi295rIBz09fK6fBpF6Hc/wqdM2koKmwZDKbSA75x
Pa5eTe7vU5VZh6FeYahUPV0wZyQoYY2USYoWiD+3H5JtF5bXDx8z/KUktrmOXBQC
ChnJpgtoS9Z17PO7SG54Q/Wop7G6WFtZ7ydeETHiBnw2hTxHIS7J2WVl5HaGh0Q8
i9g+oDNlTT9/vfO9jEZ69ADojokq6r3xq9qt5EfPfElBZ71s4BR5Y9P6iUomEkaO
CNvJ26lK0v/XWb+Ai2pMoDPQUrCPcaFdXWBFCD19UL/kbvO3491bNvmmv128rgj/
5HHFdcMBu2JP1IZE+kkfgqiND90PKlwx090HyU2LjgWW1EBjLUilogzBJvnZL3EG
ALjbJH2pXnu+7wmkx7tNAjM75GWgjYb3S0MwxgReiH/Xc9IDKxa+GspvB9PZ+VWf
BRpZBDDwAAJw6hV26YoBDDG/UnQ+2Jo/fQ+yHysdY9folLdKWdanvkSsIf/LTf76
RBj7b+CZxJ0aNkFigi1HaMVbtT1fo3d/9+FwL2uiAs7Npm/91Q3BXvlzeuQtvKoO
W/wO61Tv/KKV8tr9e1GoUco3ypJY+6Ix/cieqzBMTZdYG28Wb3Y=
=bTzl
-----END PGP SIGNATURE-----
News for package swift
