-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 31 Oct 2025 01:49:35 +0100 Source: swift Architecture: source Version: 2.35.1-0+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: Debian OpenStack <team+openstack@tracker.debian.org> Changed-By: Thomas Goirand <zigo@debian.org> Closes: 1120057 Changes: swift (2.35.1-0+deb13u1) trixie-security; urgency=medium . * New upstream point release: This new point release adds the feature to allow the use of aws-chunked transfer encoding. This is important because most S3 clients are using the boto library that has dropped support for any other protocol. This upstream point release contains only that change, which is minimal and will not affect any deployment other than accepting aws-chunked transfer. * Blacklist 2 unit tests that require isal lib to be installed: - test_sig_v4_strm_unsgnd_pyld_trl_checksum_hdr_unsupported - test_get_checksum_hasher * OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from a presigned S3 URL), an unauthenticated attacker may obtain Keystone authorization (ec2tokens can yield a fully scoped token; s3tokens can reveal scope accepted by some services), resulting in unauthorized access and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens are reachable by unauthenticated clients (e.g., exposed on a public API) are affected. Swift needs to be modified to accept the fix for Keystone, otherwise S3 authentication will stop working. Deployers are advised to update Swift first, as the patched swift will work with unpatched keystone, while the opposite isn't true. Applied upstream patch (Closes: #1120057): Add bug-2119646-swift.patch, which offers swift side compatibility with the keystone fix. Checksums-Sha1: 1ffa8390af692a32b0a3001e88f254f63ea96536 3165 swift_2.35.1-0+deb13u1.dsc 5dc7039ecfd608a05ec987bfe49cc2fb6f587148 2706568 swift_2.35.1.orig.tar.xz 8e763a049c892377e900ace91cd5ef562d189d80 32028 swift_2.35.1-0+deb13u1.debian.tar.xz 5c56af8a38a9d9682f318ec0d5a5c48d885746c7 14603 swift_2.35.1-0+deb13u1_amd64.buildinfo Checksums-Sha256: b7aef7b085aa0013b370e474a4a57e02484afd1edc755f4a45e575ec8cae7a3b 3165 swift_2.35.1-0+deb13u1.dsc ee2bba0d77ce5bccc04db93d531ddd65ee092a1ce1070b0995f1ca8f7a3a5beb 2706568 swift_2.35.1.orig.tar.xz 29f473ee52bfce85239cf7b3dc7160ef3560a7253c391f14edd11865b1373104 32028 swift_2.35.1-0+deb13u1.debian.tar.xz d2c5519a2a0e7599c7124b421f3e18caa55f001fe38464ba057e634596782cb1 14603 swift_2.35.1-0+deb13u1_amd64.buildinfo Files: ec0165efc0c28df1f3e7da4c76ae2df9 3165 net optional swift_2.35.1-0+deb13u1.dsc 0fe9e0f72d050292fb9182633c9462af 2706568 net optional swift_2.35.1.orig.tar.xz fa77d063c2a6fe4860f3fec26e860e05 32028 net optional swift_2.35.1-0+deb13u1.debian.tar.xz ad3f97cce58dfbf48baf00d5605476e9 14603 net optional swift_2.35.1-0+deb13u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmkS7bAACgkQ1BatFaxr Q/7G+w//UOFZPHtZy2Q6mujhFbflwwe7JOdRBesJ+ahOsDm5jHqQZQSj40r/0aDz axtqTE3QVWcgT63CDddA2AngiIjAMc4FWYOt39GAoOnvjz3u3dODAW6ExQkZLSDn CBB+k+Slp+5s9NAlSY9nQIcvr8NBN0DB7RiyoyxV1HSWDFZD5XQZwq20c9heVkAw XYtiuU82C34mni+Nnqc9EUpfxxhIERHB1fXyezRQf+j/Cdglh7hUhtM3BEBH9OxT /BisMs0BuXD8M6Vs727CFu7YgXeRjECpIhOw/3Up8stkKmd5bcYXH4gRFY9RYC6s oCPG6j2t1cAOMO1Y15V/M/XYq6vORzBF/HVwkwUVm8lBrOqGFuP6nMBz6uLsWZhm 4MbLSAwfnzJWf3+9htsvDiMjvqMIq5KxoDTYGyfNnfd89LKbGi2khOgL8QbFJ0la b3EtVTg+wIhtek+zBT24bEmipNn7mrc7OYnRJ0RIkMLK8VZ2gMtuXcnLI9DhQs22 4mzhfEghwMS8rul9j7djgtBN2XdD0ttCBoqLWqFnfX/TS9oaHA5rei/yCOZ6w021 Gt8O63Aw0E82dCGKju6RebUldWg2NnwYxMtKrBtxaDtd+8758yQQwQNk9on5K5P2 ZQP9N/2625D+FeES2fE++bFC+UMoM5FBheaOWl4Cf98J9ldcmFc= =oKCX -----END PGP SIGNATURE-----
