-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 06 Nov 2025 15:04:00 +0100 Source: swift Architecture: source Version: 2.26.0-10+deb11u2 Distribution: bullseye-security Urgency: medium Maintainer: Debian OpenStack <[email protected]> Changed-By: Thomas Goirand <[email protected]> Closes: 1120057 Changes: swift (2.26.0-10+deb11u2) bullseye-security; urgency=medium . * OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from a presigned S3 URL), an unauthenticated attacker may obtain Keystone authorization (ec2tokens can yield a fully scoped token; s3tokens can reveal scope accepted by some services), resulting in unauthorized access and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens are reachable by unauthenticated clients (e.g., exposed on a public API) are affected. Swift needs to be modified to accept the fix for Keystone, otherwise S3 authentication will stop working. Deployers are advised to update Swift first, as the patched swift will work with unpatched keystone, while the opposite isn't true. Applied upstream patch (Closes: #1120057): Add bug-2119646-swift.patch, which offers swift side compatibility with the keystone fix. * Blacklist some tests. Checksums-Sha1: 87c4d69a2d6d687dcc432847ce3a6790af1cb1e9 3331 swift_2.26.0-10+deb11u2.dsc 25d8adad840c4da26213d01ecbc2541216c846a3 2302476 swift_2.26.0.orig.tar.xz a2aa6f794bdb4deda3f2ef380fc62782f27ca18a 27928 swift_2.26.0-10+deb11u2.debian.tar.xz a40a046156806ab1f6cdea698aec3cf406d02561 15449 swift_2.26.0-10+deb11u2_amd64.buildinfo Checksums-Sha256: 41c982a42aef372daacb76d7056209a421dae1256499121de1e3ab2626a4105d 3331 swift_2.26.0-10+deb11u2.dsc 68b57dce54445c4d0554dbf9efc112eccc1fd961e75015900474d8cae013ead9 2302476 swift_2.26.0.orig.tar.xz f48245cb1de9db613f51adc78b5fa505c003be8bf96f0eb7f06cccf1a93d8443 27928 swift_2.26.0-10+deb11u2.debian.tar.xz 5afa1e1ba086bbe6eb60640ee3d5ad89265042e8e2f9f6f479ecb57728cfac45 15449 swift_2.26.0-10+deb11u2_amd64.buildinfo Files: 213d917a105a47f84d45f561d433bef1 3331 net optional swift_2.26.0-10+deb11u2.dsc 611351b21eade1272085bddcea8259a1 2302476 net optional swift_2.26.0.orig.tar.xz c4b121daff6af9b31279da07de6f80e3 27928 net optional swift_2.26.0-10+deb11u2.debian.tar.xz cf91f169c8418c0cb4bb5710b9d56f08 15449 net optional swift_2.26.0-10+deb11u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmkMrnwACgkQ1BatFaxr Q/7LrA/+NjUyGrmFNbdfYxU8T1v1EzltiXrCtXYo4wOwv6RGaLy+V+jcKurdiMDw fgTCXx+gLV4+dx/ggff2DxyJw9IA/HjnXxl75RKMR7J162nBiiwAjqT5tVu2D8Ar BGt5mZJz2cd4LMNlYtAxTodh8tQTqm3RZkL7B283uV7Nb4tPjFxJgfNrE+FpMcN+ 5QEnQZc0VDjzxAGiaLSUbqxM0i3nTrGCXCSXrxv5sTRI2dfc0VRwNxbbtK4JzRkO 628rfN46t+SK4/6fdzQku/rlyGyaYaNkhauWB6PHJ2ENpfP1uAflKSYpR4JBkd5t oWPDBLnZctZdjBzu4fiDHhybNtF0gU8JzIEwlj0KF4FBxSbiCJR0M+xdWcB3ThgH q3KBs63qZq/ZUM/8oAvEiFxCkut27SdoZPOBOI1izdiGLwT8Jo1zaRMFfQkeMqaO 3XuoqkyK664RxJ3XXThQEc4qd3eoOD6xIAoSIkrzgv+5krdsLD5c0Ezc7FND1p75 pl3AwtFGwE6nevcXWcyVejyP26J5VpGF75eoKmMPMGB7CZbJJSjmrxFpoqPI1p2w jc3msZxPWMuaz8gLQCB6Bpgsr3oXN9rQ+TgXHDTAYVMsolWKy2GwZKLr2tf0JZUD GKyXVNwcMSFeUFVjF/7KFARo56f7CBOPmxnSoD5z68DFk6CLlxo= =y/vt -----END PGP SIGNATURE-----
pgpBHPPx5XlIc.pgp
Description: PGP signature
