Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted swift 2.26.0-10+deb11u2 (source) into oldoldstable-security
Date: Thu, 06 Nov 2025 14:30:23 +0000
Signed by: Thomas Goirand <zigo@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 06 Nov 2025 15:04:00 +0100
Source: swift
Architecture: source
Version: 2.26.0-10+deb11u2
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Closes: 1120057
Changes:
 swift (2.26.0-10+deb11u2) bullseye-security; urgency=medium
 .
   * OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
     s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from
     a presigned S3 URL), an unauthenticated attacker may obtain Keystone
     authorization (ec2tokens can yield a fully scoped token; s3tokens can
     reveal scope accepted by some services), resulting in unauthorized access
     and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens
     are reachable by unauthenticated clients (e.g., exposed on a public API)
     are affected.
     Swift needs to be modified to accept the fix for Keystone, otherwise S3
     authentication will stop working.
     Deployers are advised to update Swift first, as the patched swift will work
     with unpatched keystone, while the opposite isn't true.
     Applied upstream patch (Closes: #1120057):
     Add bug-2119646-swift.patch, which offers swift side compatibility with the
     keystone fix.
   * Blacklist some tests.
Checksums-Sha1:
 87c4d69a2d6d687dcc432847ce3a6790af1cb1e9 3331 swift_2.26.0-10+deb11u2.dsc
 25d8adad840c4da26213d01ecbc2541216c846a3 2302476 swift_2.26.0.orig.tar.xz
 a2aa6f794bdb4deda3f2ef380fc62782f27ca18a 27928 swift_2.26.0-10+deb11u2.debian.tar.xz
 a40a046156806ab1f6cdea698aec3cf406d02561 15449 swift_2.26.0-10+deb11u2_amd64.buildinfo
Checksums-Sha256:
 41c982a42aef372daacb76d7056209a421dae1256499121de1e3ab2626a4105d 3331 swift_2.26.0-10+deb11u2.dsc
 68b57dce54445c4d0554dbf9efc112eccc1fd961e75015900474d8cae013ead9 2302476 swift_2.26.0.orig.tar.xz
 f48245cb1de9db613f51adc78b5fa505c003be8bf96f0eb7f06cccf1a93d8443 27928 swift_2.26.0-10+deb11u2.debian.tar.xz
 5afa1e1ba086bbe6eb60640ee3d5ad89265042e8e2f9f6f479ecb57728cfac45 15449 swift_2.26.0-10+deb11u2_amd64.buildinfo
Files:
 213d917a105a47f84d45f561d433bef1 3331 net optional swift_2.26.0-10+deb11u2.dsc
 611351b21eade1272085bddcea8259a1 2302476 net optional swift_2.26.0.orig.tar.xz
 c4b121daff6af9b31279da07de6f80e3 27928 net optional swift_2.26.0-10+deb11u2.debian.tar.xz
 cf91f169c8418c0cb4bb5710b9d56f08 15449 net optional swift_2.26.0-10+deb11u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmkMrnwACgkQ1BatFaxr
Q/7LrA/+NjUyGrmFNbdfYxU8T1v1EzltiXrCtXYo4wOwv6RGaLy+V+jcKurdiMDw
fgTCXx+gLV4+dx/ggff2DxyJw9IA/HjnXxl75RKMR7J162nBiiwAjqT5tVu2D8Ar
BGt5mZJz2cd4LMNlYtAxTodh8tQTqm3RZkL7B283uV7Nb4tPjFxJgfNrE+FpMcN+
5QEnQZc0VDjzxAGiaLSUbqxM0i3nTrGCXCSXrxv5sTRI2dfc0VRwNxbbtK4JzRkO
628rfN46t+SK4/6fdzQku/rlyGyaYaNkhauWB6PHJ2ENpfP1uAflKSYpR4JBkd5t
oWPDBLnZctZdjBzu4fiDHhybNtF0gU8JzIEwlj0KF4FBxSbiCJR0M+xdWcB3ThgH
q3KBs63qZq/ZUM/8oAvEiFxCkut27SdoZPOBOI1izdiGLwT8Jo1zaRMFfQkeMqaO
3XuoqkyK664RxJ3XXThQEc4qd3eoOD6xIAoSIkrzgv+5krdsLD5c0Ezc7FND1p75
pl3AwtFGwE6nevcXWcyVejyP26J5VpGF75eoKmMPMGB7CZbJJSjmrxFpoqPI1p2w
jc3msZxPWMuaz8gLQCB6Bpgsr3oXN9rQ+TgXHDTAYVMsolWKy2GwZKLr2tf0JZUD
GKyXVNwcMSFeUFVjF/7KFARo56f7CBOPmxnSoD5z68DFk6CLlxo=
=y/vt
-----END PGP SIGNATURE-----
News for package swift
