diff options
author | Tim Burke <tim.burke@gmail.com> | 2023-01-30 13:24:20 -0800 |
---|---|---|
committer | Tim Burke <tim.burke@gmail.com> | 2023-01-30 15:23:08 -0800 |
commit | fbec7694e554252f685f82ff2a895f86ab5ae8b1 (patch) | |
tree | d1a1be4a06662a313cfc965dc143a2f3d1312a61 | |
parent | 041cb672e8af71ba9622d22ed4c675f437b26753 (diff) | |
download | swift-fbec7694e554252f685f82ff2a895f86ab5ae8b1.tar.gz |
Authors/ChangeLog for 2.30.12.30.1
Change-Id: I4786371314daa3f37e33f97defed43d1cec887ba
-rw-r--r-- | .mailmap | 1 | ||||
-rw-r--r-- | AUTHORS | 3 | ||||
-rw-r--r-- | CHANGELOG | 13 | ||||
-rw-r--r-- | releasenotes/notes/2_30_1_release-856dd70ec466aa74.yaml | 13 |
4 files changed, 28 insertions, 2 deletions
@@ -134,3 +134,4 @@ Gilles Biannic <gilles.biannic@corp.ovh.com> gillesbiannic melissaml <ma.lei@99cloud.net> <malei@maleideMacBook-Pro.local> Ashwin Nair <nairashwin952013@gmail.com> indianwhocodes Romain de Joux <romain.de-joux@ovhcloud.com> <romain.de-joux@corp.ovh.com> +Takashi Natsume <takanattie@gmail.com> <natsume.takashi@lab.ntt.co.jp> @@ -40,6 +40,7 @@ Aaron Rosen (arosen@nicira.com) Ade Lee (alee@redhat.com) Adrian Smith (adrian_f_smith@dell.com) Adrien Pensart (adrien.pensart@corp.ovh.com) +afariasa (afariasa@redhat.com) Akihiro Motoki (amotoki@gmail.com) Akihito Takai (takaiak@nttdata.co.jp) Alex Gaynor (alex.gaynor@gmail.com) @@ -399,7 +400,7 @@ Steve Martinelli (stevemar@ca.ibm.com) Steven Lang (Steven.Lang@hgst.com) Sushil Kumar (sushil.kumar2@globallogic.com) Takashi Kajinami (tkajinam@redhat.com) -Takashi Natsume (natsume.takashi@lab.ntt.co.jp) +Takashi Natsume (takanattie@gmail.com) TheSriram (sriram@klusterkloud.com) Thiago da Silva (thiagodasilva@gmail.com) Thibault Person (thibault.person@ovhcloud.com) @@ -1,4 +1,15 @@ -swift (2.30.0) +swift (2.30.1, zed stable backports) + + * Fixed a security issue in how `s3api` handles XML parsing that allowed + authenticated S3 clients to read arbitrary files from proxy servers. + Refer to CVE-2022-47950 for more information. + + * Fixed a path-rewriting bug introduced in Python 3.7.14, 3.8.14, 3.9.14, + and 3.10.6 that could cause some `domain_remap` requests to be routed to + the wrong object. + + +swift (2.30.0, OpenStack Zed) * Sharding improvements diff --git a/releasenotes/notes/2_30_1_release-856dd70ec466aa74.yaml b/releasenotes/notes/2_30_1_release-856dd70ec466aa74.yaml new file mode 100644 index 000000000..a9c13102d --- /dev/null +++ b/releasenotes/notes/2_30_1_release-856dd70ec466aa74.yaml @@ -0,0 +1,13 @@ +--- +security: + - | + Fixed a security issue in how ``s3api`` handles XML parsing that allowed + authenticated S3 clients to read arbitrary files from proxy servers. + Refer to `CVE-2022-47950 <https://cve.circl.lu/cve/CVE-2022-47950>`__ + for more information. + +fixes: + - | + Fixed a path-rewriting bug introduced in Python 3.7.14, 3.8.14, 3.9.14, + and 3.10.6 that could cause some ``domain_remap`` requests to be routed to + the wrong object. |