Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package azure-storage-azcopy for
openSUSE:Factory checked in at 2026-03-23 17:16:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/azure-storage-azcopy (Old)
and /work/SRC/openSUSE:Factory/.azure-storage-azcopy.new.8177 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "azure-storage-azcopy"
Mon Mar 23 17:16:02 2026 rev:5 rq:1342040 version:10.32.2
Changes:
--------
---
/work/SRC/openSUSE:Factory/azure-storage-azcopy/azure-storage-azcopy.changes
2026-03-11 20:58:35.330012374 +0100
+++
/work/SRC/openSUSE:Factory/.azure-storage-azcopy.new.8177/azure-storage-azcopy.changes
2026-03-23 17:17:56.577088209 +0100
@@ -1,0 +2,42 @@
+Mon Mar 23 12:51:41 UTC 2026 - John Paul Adrian Glaubitz
<[email protected]>
+
+- Update to 10.32.2
+ * cloud.google.com/go/storage v1.45.0 -> v1.50.0
+ * Golang 1.24.13 -> 1.25.8
+ * Golangci-lint v1.64.8 -> v2.11.3
+ * Fixed a regression where the folder tracker would panic with
+ pre-existing folders and --overwrite=ifSourceNewer. (#3403)
+ * Fixed a regression where cancellation was not working via stdin (#3373)
+ * Fixed a regression where we hit segfaults from logging
+ to a nil logger in the process checker. (#3384)
+ * Fixed a race condition panic from concurrent access to a
+ shared metadata resource by introducing thread safety. (#3341)
+ * Fixed a bug where --posix-properties-style was not being chained
+ through the copy flow correctly. (#3401)
+ * Fixed a regression where in tandem use of --list-of-files
+ and --include-pattern no longer worked. (#3389)
+- from version 10.32.1
+ * Golang 1.24.11 -> 1.24.13
+- from version 10.32.0
+ * Added support for AMLFS style posix metadata. (#3317)
+ * Fixed a bug where hdi_isfolder metadata key would sometimes
+ not be sent in all lowercase, resulting in unexpected behavior
+ on the service side when fetching properties. (#3312)
+ * Fixed a typo in the benchmark command, to allow the --put-md5 flag to
work. (#3324)
+ * Fixed a bug where network errors would not be retried on. (#3338)
+ * Fixed a bug where unexpected requests would be logged in syslog. (#3339)
+ * Fixed a bug where pre-existing folders would be recreated. (#3295)
+ * Updated README to clarify supported source-destination pairs and
+ authorization mechanisms. (#3213)
+ * Updated format of wiki generated docs to improve readability. (#3311)
+ * AzCopy download URLs starting with
https://azcopyvnext-awgzd8g7aagqhzhe.b02.azurefd.net/
+ are no longer supported.
+- from version 10.32.0~preview.1
+ * Fixed a bug where throughput was not being displayed for copy and resume.
(#3271)
+ * Fixed a bug where S3 and GCP transfers would panic. (#3273)
+ * Refactored copy, sync, resume, login, logout, login status
+ business logic into the azcopy package.
+- Add CVE-2026-33186.patch to fix authorization bypass in grpc-go due to
improper
+ validation of the HTTP/2 :path pseudo-header (bsc#1260307, CVE-2026-33186)
+
+-------------------------------------------------------------------
Old:
----
azure-storage-azcopy-v10.31.1.tar.gz
New:
----
CVE-2026-33186.patch
azure-storage-azcopy-v10.32.2.tar.gz
----------(New B)----------
New: business logic into the azcopy package.
- Add CVE-2026-33186.patch to fix authorization bypass in grpc-go due to
improper
validation of the HTTP/2 :path pseudo-header (bsc#1260307, CVE-2026-33186)
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ azure-storage-azcopy.spec ++++++
--- /var/tmp/diff_new_pack.z4woOJ/_old 2026-03-23 17:17:58.561170490 +0100
+++ /var/tmp/diff_new_pack.z4woOJ/_new 2026-03-23 17:17:58.561170490 +0100
@@ -23,7 +23,7 @@
%global import_path %{provider_prefix}
Name: azure-storage-azcopy
-Version: 10.31.1
+Version: 10.32.2
Release: 0
License: MIT
Summary: Microsoft Azure Storage data transfer utility
@@ -32,6 +32,8 @@
Source1: vendor.tar.gz
# PATCH-FIX-UPSTREAM - Add support for s390x architecture - gh/wastore/keyctl#2
Patch0: keyctl-add-s390x-support.patch
+# PATCH-FIX-UPSTREAM - grpc: enforce strict path checking for incoming
requests on the server
+Patch1: CVE-2026-33186.patch
BuildRequires: golang-packaging
BuildRequires: go >= 1.24
# Building with -buildmode=pie is currently unsupported on armv7l, i586,
riscv64 and s390x
@@ -50,6 +52,9 @@
pushd vendor/github.com/wastore/keyctl
%patch -P0 -p1
popd
+pushd vendor/google.golang.org/grpc
+%patch -P1 -p1
+popd
%build
%goprep %{import_path}
++++++ CVE-2026-33186.patch ++++++
>From a14945b6c915fc7efaa7e955875c412815a48ea3 Mon Sep 17 00:00:00 2001
From: Easwar Swaminathan <[email protected]>
Date: Tue, 17 Mar 2026 16:35:32 -0700
Subject: [PATCH] grpc: enforce strict path checking for incoming requests on
the server (#8985)
RELEASE NOTES:
* server: fix an authorization bypass where malformed :path headers
(missing the leading slash) could bypass path-based restricted "deny"
rules in interceptors like `grpc/authz`. Any request with a
non-canonical path is now immediately rejected with an `Unimplemented`
error.
---
internal/envconfig/envconfig.go | 16 +++++++++
server.go | 57 ++++++++++++++++++++++++---------
2 files changed, 57 insertions(+), 16 deletions(-)
diff --git a/internal/envconfig/envconfig.go b/internal/envconfig/envconfig.go
index e8dc7912..7ad6fb44 100644
--- a/internal/envconfig/envconfig.go
+++ b/internal/envconfig/envconfig.go
@@ -88,6 +88,22 @@ var (
// feature can be disabled by setting the environment variable
// GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING to "false".
PickFirstWeightedShuffling =
boolFromEnv("GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING", true)
+
+ // DisableStrictPathChecking indicates whether strict path checking is
+ // disabled. This feature can be disabled by setting the environment
+ // variable GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING to "true".
+ //
+ // When strict path checking is enabled, gRPC will reject requests with
+ // paths that do not conform to the gRPC over HTTP/2 specification
found at
+ // https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md.
+ //
+ // When disabled, gRPC will allow paths that do not contain a leading
slash.
+ // Enabling strict path checking is recommended for security reasons,
as it
+ // prevents potential path traversal vulnerabilities.
+ //
+ // A future release will remove this environment variable, enabling
strict
+ // path checking behavior unconditionally.
+ DisableStrictPathChecking =
boolFromEnv("GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING", false)
)
func boolFromEnv(envVar string, def bool) bool {
diff --git a/server.go b/server.go
index 1b5cefe8..8efb29a7 100644
--- a/server.go
+++ b/server.go
@@ -42,6 +42,7 @@ import (
"google.golang.org/grpc/internal"
"google.golang.org/grpc/internal/binarylog"
"google.golang.org/grpc/internal/channelz"
+ "google.golang.org/grpc/internal/envconfig"
"google.golang.org/grpc/internal/grpcsync"
"google.golang.org/grpc/internal/grpcutil"
istats "google.golang.org/grpc/internal/stats"
@@ -149,6 +150,8 @@ type Server struct {
serverWorkerChannel chan func()
serverWorkerChannelClose func()
+
+ strictPathCheckingLogEmitted atomic.Bool
}
type serverOptions struct {
@@ -1762,6 +1765,24 @@ func (s *Server) processStreamingRPC(ctx
context.Context, stream *transport.Serv
return ss.s.WriteStatus(statusOK)
}
+func (s *Server) handleMalformedMethodName(stream *transport.ServerStream, ti
*traceInfo) {
+ if ti != nil {
+ ti.tr.LazyLog(&fmtStringer{"Malformed method name %q",
[]any{stream.Method()}}, true)
+ ti.tr.SetError()
+ }
+ errDesc := fmt.Sprintf("malformed method name: %q", stream.Method())
+ if err := stream.WriteStatus(status.New(codes.Unimplemented, errDesc));
err != nil {
+ if ti != nil {
+ ti.tr.LazyLog(&fmtStringer{"%v", []any{err}}, true)
+ ti.tr.SetError()
+ }
+ channelz.Warningf(logger, s.channelz, "grpc:
Server.handleStream failed to write status: %v", err)
+ }
+ if ti != nil {
+ ti.tr.Finish()
+ }
+}
+
func (s *Server) handleStream(t transport.ServerTransport, stream
*transport.ServerStream) {
ctx := stream.Context()
ctx = contextWithServer(ctx, s)
@@ -1782,26 +1803,30 @@ func (s *Server) handleStream(t
transport.ServerTransport, stream *transport.Ser
}
sm := stream.Method()
- if sm != "" && sm[0] == '/' {
+ if sm == "" {
+ s.handleMalformedMethodName(stream, ti)
+ return
+ }
+ if sm[0] != '/' {
+ // TODO(easwars): Add a link to the CVE in the below log
messages once
+ // published.
+ if envconfig.DisableStrictPathChecking {
+ if old := s.strictPathCheckingLogEmitted.Swap(true);
!old {
+ channelz.Warningf(logger, s.channelz, "grpc:
Server.handleStream received malformed method name %q. Allowing it because the
environment variable GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING is set
to true, but this option will be removed in a future release.", sm)
+ }
+ } else {
+ if old := s.strictPathCheckingLogEmitted.Swap(true);
!old {
+ channelz.Warningf(logger, s.channelz, "grpc:
Server.handleStream rejected malformed method name %q. To temporarily allow
such requests, set the environment variable
GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING to true. Note that this is
not recommended as it may allow requests to bypass security policies.", sm)
+ }
+ s.handleMalformedMethodName(stream, ti)
+ return
+ }
+ } else {
sm = sm[1:]
}
pos := strings.LastIndex(sm, "/")
if pos == -1 {
- if ti != nil {
- ti.tr.LazyLog(&fmtStringer{"Malformed method name %q",
[]any{sm}}, true)
- ti.tr.SetError()
- }
- errDesc := fmt.Sprintf("malformed method name: %q",
stream.Method())
- if err := stream.WriteStatus(status.New(codes.Unimplemented,
errDesc)); err != nil {
- if ti != nil {
- ti.tr.LazyLog(&fmtStringer{"%v", []any{err}},
true)
- ti.tr.SetError()
- }
- channelz.Warningf(logger, s.channelz, "grpc:
Server.handleStream failed to write status: %v", err)
- }
- if ti != nil {
- ti.tr.Finish()
- }
+ s.handleMalformedMethodName(stream, ti)
return
}
service := sm[:pos]
--
2.53.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.z4woOJ/_old 2026-03-23 17:17:58.621172979 +0100
+++ /var/tmp/diff_new_pack.z4woOJ/_new 2026-03-23 17:17:58.625173144 +0100
@@ -3,8 +3,8 @@
<param name="url">https://github.com/Azure/azure-storage-azcopy</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="versionformat">v10.31.1</param>
- <param name="revision">v10.31.1</param>
+ <param name="versionformat">v10.32.2</param>
+ <param name="revision">v10.32.2</param>
<param name="changesgenerate">disable</param>
</service>
<service name="recompress" mode="disabled">
@@ -15,7 +15,7 @@
<param name="basename">azure-storage-azcopy</param>
</service>
<service name="go_modules" mode="disabled">
- <param name="archive">azure-storage-azcopy-v10.31.1.tar.gz</param>
+ <param name="archive">azure-storage-azcopy-v10.32.2.tar.gz</param>
</service>
</services>
++++++ azure-storage-azcopy-v10.31.1.tar.gz ->
azure-storage-azcopy-v10.32.2.tar.gz ++++++
/work/SRC/openSUSE:Factory/azure-storage-azcopy/azure-storage-azcopy-v10.31.1.tar.gz
/work/SRC/openSUSE:Factory/.azure-storage-azcopy.new.8177/azure-storage-azcopy-v10.32.2.tar.gz
differ: char 12, line 1
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/azure-storage-azcopy/vendor.tar.gz
/work/SRC/openSUSE:Factory/.azure-storage-azcopy.new.8177/vendor.tar.gz differ:
char 14, line 1
