Bug#1138170: marked as done (CVE-2026-49017: Swift proxy-server denial of service via truncated s3api chunked upload)

Sun, 31 May 2026 13:35:23 -0700 

Your message dated Sun, 31 May 2026 20:32:26 +0000
with message-id <[email protected]>
and subject line Bug#1138170: fixed in swift 2.35.1-0+deb13u2
has caused the Debian Bug report #1138170,
regarding CVE-2026-49017: Swift proxy-server denial of service via truncated 
s3api chunked upload
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1138170: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138170
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: swift
Version: 2.35.1-0+deb13u1
Severity: important
Tags: patch

As per official announce:
https://security.openstack.org/ossa/OSSA-2026-014.html

OSSA-2026-014: Swift proxy-server denial of service via truncated s3api chunked
upload

Date:    May 27, 2026
CVE:    CVE-2026-49017

Affects: Swift: >=2.36.0 <2.36.2, >=2.37.0 <2.37.2

Note from package maintainer: Anything before Trixie is unaffected, because
there was no support for aws-chunked transfer before upstream releasse
2.35.1. Trixie has currently: 2.35.1-0+deb13u1.


Description:
Alistair Coles from NVIDIA reported a denial of service vulnerability in
Swift’s s3api middleware. An authenticated user can send a truncated
aws-chunked PUT request that causes a proxy-server worker to enter an infinite
loop, consuming CPU and memory until the process becomes permanently
unresponsive. Deployments running Swift 2.36.0 or later with the s3api
middleware enabled are affected.

Patches:
    https://review.opendev.org/990262 (2025.2/flamingo)
    https://review.opendev.org/990261 (2026.1/gazpacho)
    https://review.opendev.org/987957 (2026.2/hibiscus)

Credits:
    Alistair Coles from NVIDIA (CVE-2026-49017)

References:
    https://launchpad.net/bugs/2152205
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-49017

--- End Message ---
--- Begin Message --- 
Source: swift
Source-Version: 2.35.1-0+deb13u2
Done: Thomas Goirand <[email protected]>

We believe that the bug you reported is fixed in the latest version of
swift, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated swift package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 May 2026 19:00:54 +0200
Source: swift
Architecture: source
Version: 2.35.1-0+deb13u2
Distribution: trixie-security
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1138170
Changes:
 swift (2.35.1-0+deb13u2) trixie-security; urgency=medium
 .
   * CVE-2026-49017: Swift proxy-server denial of service via truncated s3api
     chunked upload. Applied upstream patch: "s3api: Error on truncated
     aws-chunked input" (Closes: #1138170).
Checksums-Sha1:
 8be7a14099f9594fa06328648bdb2b1e5df19bba 3165 swift_2.35.1-0+deb13u2.dsc
 f79fd49ea6d2a157c6c9ed75bfdd9d2cc0c356ee 33620 
swift_2.35.1-0+deb13u2.debian.tar.xz
 6a2706d36eb067e87ab54b53507e6251f230326b 14789 
swift_2.35.1-0+deb13u2_amd64.buildinfo
Checksums-Sha256:
 5ea77de19c71ac1c092cc3c1ef99ef3170c1088ebc58e1f8017ca2030e44c76d 3165 
swift_2.35.1-0+deb13u2.dsc
 536ce211665efa6014d68d472887c3ac8377c31260216d47f86d9b777795dd47 33620 
swift_2.35.1-0+deb13u2.debian.tar.xz
 bd3c74646579eb9ccd6bad2e273d04b2e5bc1077ee616bfa462a461650cc01f3 14789 
swift_2.35.1-0+deb13u2_amd64.buildinfo
Files:
 ba185c25d86fdf95fe74c40d0c72d83f 3165 net optional swift_2.35.1-0+deb13u2.dsc
 c1ed4899a943cec82cbede3e5d8303a9 33620 net optional 
swift_2.35.1-0+deb13u2.debian.tar.xz
 ee732a9c4139edbf100fa8cd02a9abb4 14789 net optional 
swift_2.35.1-0+deb13u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmoZx7EACgkQ1BatFaxr
Q/5aXA/8DIg1m9Fe0NSUWKsd9ofFjqaD6gRvl/F5w4trQzNSRRPiW/QQu+HRfIgV
2m94sV/xJ85szeakHy6ftfKSYcPTpW0hFrbuP9EImweBJfFPEllTnNuPKK6cimMs
v6CR4Y8ZGp2BSmHBkD9Ka8BrxI86X6dMH5JrmzOPsfNo3Yl48TIKfQbzh4ELOjcX
6vjoDqmlpQvjJU9wo+cShjFl8GJBkpziSvgdKFhq+aOUVxzId9AFhkcizQ8YdfZi
3YLlD/fB6hIyMnP0gMojvMlk1Hp+F99aQDRGS9q34VkuFXuG4hj2ihVWr4/Z8qIZ
NMb7QNUBKM7hNd8ByXZHceChVCw4s20jFOFodLkxlUBtP7icA3Ftd+Dgg+LnI897
NiKczxRczZDQUAWW8lPcjJRKgDjlq67fEfdbMzdQYlt2KFykRqKMSgKG0nzx578D
fKW2hhS9MHqhHm1iLuBVG+/X9V6ymoR3cyLPf29IC2fH+59jbJnZHgww2wgCpf/x
Dw9KlsHI4+S2uN8PyCpigxuAVaDkzbeL/ZOCTpFzKkbwCwimsB7Kqu8muhTOZJQZ
x7MbTSggejFNdcOKpab2SLZbqR88+U+yBjbzAPTr9y68eotdMTRTNWgO/aKcJ7jP
emxJItIh7pP/erFh1AyxQyo4vpNjA4eNYP5l4DVXuNPpZl1E8e4=
=4AQq
-----END PGP SIGNATURE-----

Attachment: pgpwR2w9OKJp7.pgp
Description: PGP signature


--- End Message ---

Reply via email to