diff options
author | Tim Burke <tim.burke@gmail.com> | 2023-01-30 13:24:20 -0800 |
---|---|---|
committer | Tim Burke <tim.burke@gmail.com> | 2023-01-30 15:22:00 -0800 |
commit | 19879831272b37b5e49f73a4d49f1a4587ccd7c7 (patch) | |
tree | 84a65edf26cd4716d46e91b800b2bb95ca062f34 | |
parent | d8d04ef43c90079d436b2e49617b4425ba39c28e (diff) | |
download | swift-19879831272b37b5e49f73a4d49f1a4587ccd7c7.tar.gz |
Authors/ChangeLog for 2.29.22.29.2
Change-Id: I19d7c37e2f4b63f8743560b6b6569c0bc096ee65
-rw-r--r-- | AUTHORS | 1 | ||||
-rw-r--r-- | CHANGELOG | 16 | ||||
-rw-r--r-- | releasenotes/notes/2_29_2_release-de619e50f10cc413.yaml | 20 |
3 files changed, 37 insertions, 0 deletions
@@ -398,6 +398,7 @@ Takashi Kajinami (tkajinam@redhat.com) Takashi Natsume (natsume.takashi@lab.ntt.co.jp) TheSriram (sriram@klusterkloud.com) Thiago da Silva (thiagodasilva@gmail.com) +Thibault Person (thibault.person@ovhcloud.com) Thierry Carrez (thierry@openstack.org) Thomas Goirand (thomas@goirand.fr) Thomas Herve (therve@redhat.com) @@ -1,3 +1,19 @@ +swift (2.29.2, yoga stable backports) + + * Fixed a security issue in how `s3api` handles XML parsing that allowed + authenticated S3 clients to read arbitrary files from proxy servers. + Refer to CVE-2022-47950 for more information. + + * Constant-time string comparisons are now used when checking S3 API + signatures. + + * Fixed a path-rewriting bug introduced in Python 3.7.14, 3.8.14, 3.9.14, + and 3.10.6 that could cause some `domain_remap` requests to be routed to + the wrong object. + + * Improved compatibility with certain FIPS-mode-enabled systems. + + swift (2.29.1, OpenStack Yoga) * This is the final stable branch that will support Python 2.7. diff --git a/releasenotes/notes/2_29_2_release-de619e50f10cc413.yaml b/releasenotes/notes/2_29_2_release-de619e50f10cc413.yaml new file mode 100644 index 000000000..0c6fd5a51 --- /dev/null +++ b/releasenotes/notes/2_29_2_release-de619e50f10cc413.yaml @@ -0,0 +1,20 @@ +--- +security: + - | + Fixed a security issue in how ``s3api`` handles XML parsing that allowed + authenticated S3 clients to read arbitrary files from proxy servers. + Refer to `CVE-2022-47950 <https://cve.circl.lu/cve/CVE-2022-47950>`__ + for more information. + + - | + Constant-time string comparisons are now used when checking S3 API + signatures. + +fixes: + - | + Fixed a path-rewriting bug introduced in Python 3.7.14, 3.8.14, 3.9.14, + and 3.10.6 that could cause some ``domain_remap`` requests to be routed to + the wrong object. + + - | + Improved compatibility with certain FIPS-mode-enabled systems. |