Authors/ChangeLog for 2.29.22.29.2

Change-Id: I19d7c37e2f4b63f8743560b6b6569c0bc096ee65
author: Tim Burke <tim.burke@gmail.com> 2023-01-30 13:24:20 -0800
committer: Tim Burke <tim.burke@gmail.com> 2023-01-30 15:22:00 -0800
commit: 19879831272b37b5e49f73a4d49f1a4587ccd7c7 (patch)
tree: 84a65edf26cd4716d46e91b800b2bb95ca062f34
parent: d8d04ef43c90079d436b2e49617b4425ba39c28e (diff)
download: swift-19879831272b37b5e49f73a4d49f1a4587ccd7c7.tar.gz
3 files changed, 37 insertions, 0 deletions
diff --git a/AUTHORS b/AUTHORS
index 3d2bc530a..aa9dc9593 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -398,6 +398,7 @@ Takashi Kajinami (tkajinam@redhat.com)
 Takashi Natsume (natsume.takashi@lab.ntt.co.jp)
 TheSriram (sriram@klusterkloud.com)
 Thiago da Silva (thiagodasilva@gmail.com)
+Thibault Person (thibault.person@ovhcloud.com)
 Thierry Carrez (thierry@openstack.org)
 Thomas Goirand (thomas@goirand.fr)
 Thomas Herve (therve@redhat.com)
diff --git a/CHANGELOG b/CHANGELOG
index 6aa4084da..8c84f5aad 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,19 @@
+swift (2.29.2, yoga stable backports)
+
+    * Fixed a security issue in how `s3api` handles XML parsing that allowed
+      authenticated S3 clients to read arbitrary files from proxy servers.
+      Refer to CVE-2022-47950 for more information.
+
+    * Constant-time string comparisons are now used when checking S3 API
+      signatures.
+
+    * Fixed a path-rewriting bug introduced in Python 3.7.14, 3.8.14, 3.9.14,
+      and 3.10.6 that could cause some `domain_remap` requests to be routed to
+      the wrong object.
+
+    * Improved compatibility with certain FIPS-mode-enabled systems.
+
+
 swift (2.29.1, OpenStack Yoga)
 
     * This is the final stable branch that will support Python 2.7.
diff --git a/releasenotes/notes/2_29_2_release-de619e50f10cc413.yaml b/releasenotes/notes/2_29_2_release-de619e50f10cc413.yaml
new file mode 100644
index 000000000..0c6fd5a51
--- /dev/null
+++ b/releasenotes/notes/2_29_2_release-de619e50f10cc413.yaml
@@ -0,0 +1,20 @@
+---
+security:
+  - |
+    Fixed a security issue in how ``s3api`` handles XML parsing that allowed
+    authenticated S3 clients to read arbitrary files from proxy servers.
+    Refer to `CVE-2022-47950 <https://cve.circl.lu/cve/CVE-2022-47950>`__
+    for more information.
+
+  - |
+    Constant-time string comparisons are now used when checking S3 API
+    signatures.
+
+fixes:
+  - |
+    Fixed a path-rewriting bug introduced in Python 3.7.14, 3.8.14, 3.9.14,
+    and 3.10.6 that could cause some ``domain_remap`` requests to be routed to
+    the wrong object.
+
+  - |
+    Improved compatibility with certain FIPS-mode-enabled systems.
author	Tim Burke <tim.burke@gmail.com>	2023-01-30 13:24:20 -0800
committer	Tim Burke <tim.burke@gmail.com>	2023-01-30 15:22:00 -0800
commit	19879831272b37b5e49f73a4d49f1a4587ccd7c7 (patch)
tree	84a65edf26cd4716d46e91b800b2bb95ca062f34
parent	d8d04ef43c90079d436b2e49617b4425ba39c28e (diff)
download	swift-19879831272b37b5e49f73a4d49f1a4587ccd7c7.tar.gz