Bug#1140678: marked as done (CVE-2026-50221 / OSSA-2026-024: Swift proxy-server SSRF via header injection)

Wed, 24 Jun 2026 07:37:23 -0700 

Your message dated Wed, 24 Jun 2026 14:36:03 +0000
with message-id <[email protected]>
and subject line Bug#1140678: fixed in swift 2.37.1-5
has caused the Debian Bug report #1140678,
regarding CVE-2026-50221 / OSSA-2026-024: Swift proxy-server SSRF via header 
injection
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1140678: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140678
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: swift
Severity: important
Tags: patch security
X-Debbugs-Cc: Debian Security Team <[email protected]>

As per upstream announce:
https://security.openstack.org/ossa/OSSA-2026-024.html

OSSA-2026-024: Swift proxy-server SSRF via header injection

Date: June 23, 2026
CVE: CVE-2026-50221

Affects:
    Swift: >=2.0.0 <2.35.3, >=2.36.0 <2.36.2, >=2.37.0 <2.37.2

Description:
Tim Shephard from roiai.ca reported a server-side request forgery (SSRF)
vulnerability in Swift’s proxy-server. An authenticated user can cause Swift
object servers to issue outbound HTTP requests to attacker-specified hosts,
potentially exposing internal infrastructure details. All deployments running
Swift 2.0.0 or later are affected.

Patches
    https://review.opendev.org/994452 (2025.1/epoxy)
    https://review.opendev.org/994451 (2025.2/flamingo)
    https://review.opendev.org/994450 (2026.1/gazpacho)
    https://review.opendev.org/994449 (2026.2/hibiscus (development))

Credits
    Tim Shephard from roiai.ca (CVE-2026-50221)

References
    https://launchpad.net/bugs/2150261
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-50221

--- End Message ---
--- Begin Message --- 
Source: swift
Source-Version: 2.37.1-5
Done: Thomas Goirand <[email protected]>

We believe that the bug you reported is fixed in the latest version of
swift, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated swift package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 10 Jun 2026 10:31:50 +0200
Source: swift
Architecture: source
Version: 2.37.1-5
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1140678
Changes:
 swift (2.37.1-5) unstable; urgency=medium
 .
   * CVE-2026-50221: Swift proxy-server SSRF via internal update header
     injection: applied upstream patch: Block internal update headers at the
     gatekeeper (Closes: #1140678).
Checksums-Sha1:
 b8464e6cea04d4ee515b892ed17deccc621611c9 3159 swift_2.37.1-5.dsc
 5a389bad0101eee45c2248d057a857011ae188b6 36096 swift_2.37.1-5.debian.tar.xz
 e064c1f6d9ac47e7c8cecee19b210b548e862f60 14449 swift_2.37.1-5_amd64.buildinfo
Checksums-Sha256:
 fae06178b6aa3f70e814ed320fc559129f2aeada522ca86729bdd753a3935632 3159 
swift_2.37.1-5.dsc
 3356d90d58df24cb698caaf277b2609aff186edee6634b4a5fbaf42a4846c295 36096 
swift_2.37.1-5.debian.tar.xz
 a608d5945b303d08c6b5732beadaeced8819dccb76f49801ecdcfd2190370ce6 14449 
swift_2.37.1-5_amd64.buildinfo
Files:
 6ca73a0140cc8e5ff34380437e2ca77b 3159 net optional swift_2.37.1-5.dsc
 c1cf76e27194d662c0798f92eba6f78f 36096 net optional 
swift_2.37.1-5.debian.tar.xz
 bac956d06a0af2266f49aba33b14224e 14449 net optional 
swift_2.37.1-5_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmo7310ACgkQ1BatFaxr
Q/5ovQ/+PqGyRB7Hz0kRV+WseYQp6qLyXIHWxvLSHm6RVzu1n3AL/Ww0/O6OTBSz
X1QcTa0FsvRDFPh7ZPfgBgb+a4ZGregFuZdio5upQlU7KSKFFU3mw08wdPR1x8f3
IEAmhG26QkKq9+pevR/TkxtILadFHwtJZLj/6qTaqa3cL9tiN9Q0FJ4UiTUihQV6
Tt8iTI8no61y1sCHT5CViqKt1NRDdjvxAsQIn7G2Pcv5jjX7qI3dDcwGD602OCao
4xsoStKDm221T9fRuZlVn/yRe4AbR/3ITvs8dKHq+e/22cEcuzH97doTurYyfKAi
3qf2ue8eYx1gzGnEmK24ZWUV4Nx7WU0TpdMK3ViqNChmxA9FQ+baO2HkwCR7/m+C
Spq0suTdM/Sy3fXLe8hRers+m/ROTei+U95lEuO+X8Jx3L4cZUGskZ35zHOXMFzK
lwEGj2vhhv5Xrw3o0Xl/G2eVAyHMHSQ05G7MA0OYI1Z35mQwL9uHOfqOmFYKHkw6
nz+NcGNXqLY6xtCq1hlOP0cfCH4uq7+Mwhv6Gz4v1Rt44H5jWRpXrGaquDWQp+uV
Ot3TiMGOMr3J7ykd5fh5DMAX1yP6bsWZQuO7KWwWP3v/7QQ7fEMVSx7YTtX60zwp
dBacIUf9h9G2S9x+ywKiP+Z1kH1Z/lsSJoI1bT6MUWYTl4M00OA=
=kwqw
-----END PGP SIGNATURE-----

Attachment: pgpITBIipGvtm.pgp
Description: PGP signature


--- End Message ---

Reply via email to