Your message dated Tue, 04 Nov 2025 16:34:30 +0000
with message-id <[email protected]>
and subject line Bug#1120057: fixed in swift 2.36.0-5
has caused the Debian Bug report #1120057,
regarding incompatible with patch for: Unauthenticated access to EC2/S3 token
endpoints can grant Keystone authorization
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1120057: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120057
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: swift
Version: 2.35.0-4
Severity: important
As per bug #1120053:
* OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from
a presigned S3 URL), an unauthenticated attacker may obtain Keystone
authorization (ec2tokens can yield a fully scoped token; s3tokens can
reveal scope accepted by some services), resulting in unauthorized access
and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens
are reachable by unauthenticated clients (e.g., exposed on a public API)
are affected.
Swift needs to be modified to accept the fix for Keystone, otherwise S3
authentication will stop working.
Deployers are advised to update Swift first, as the patched swift will work
with unpatched keystone, while the opposite isn't true.
--- End Message ---
--- Begin Message ---
Source: swift
Source-Version: 2.36.0-5
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
swift, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated swift package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 31 Oct 2025 01:39:14 +0100
Source: swift
Architecture: source
Version: 2.36.0-5
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1120057
Changes:
swift (2.36.0-5) unstable; urgency=high
.
* Refreshed patches.
* OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from
a presigned S3 URL), an unauthenticated attacker may obtain Keystone
authorization (ec2tokens can yield a fully scoped token; s3tokens can
reveal scope accepted by some services), resulting in unauthorized access
and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens
are reachable by unauthenticated clients (e.g., exposed on a public API)
are affected.
Swift needs to be modified to accept the fix for Keystone, otherwise S3
authentication will stop working.
Deployers are advised to update Swift first, as the patched swift will work
with unpatched keystone, while the opposite isn't true.
Applied upstream patch (Closes: #1120057):
Add bug-2119646-swift.patch, which offers swift side compatibility with the
keystone fix.
Checksums-Sha1:
2996ed727f9438a5a39e030ce639c6e8224b63e1 3133 swift_2.36.0-5.dsc
c564504c8fcd5813e227bbb27852bf3c125d02b4 32248 swift_2.36.0-5.debian.tar.xz
5285305203933952bd80e7d05919697adaa23168 13901 swift_2.36.0-5_amd64.buildinfo
Checksums-Sha256:
23797979586e1d863756e305e94a754da7f7d017cf15832050667a59aad74ca1 3133
swift_2.36.0-5.dsc
781182f81be464da3cb6ac0ad3f770667d99239e84ce38b5cc517db2cd8d374c 32248
swift_2.36.0-5.debian.tar.xz
1b760be7c7d4e6678d48f6fd4e794636c2d0bb6fba7f25394d036b96fdd7d43c 13901
swift_2.36.0-5_amd64.buildinfo
Files:
488b6577d5676b2e303fdda1aec90170 3133 net optional swift_2.36.0-5.dsc
8719d35d6dd92d766fa28fb33a395b2f 32248 net optional
swift_2.36.0-5.debian.tar.xz
f56bf05e4cf6860c6a33f4ecc9bb1f65 13901 net optional
swift_2.36.0-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmkKJUEACgkQ1BatFaxr
Q/76KQ//bAuDj+/kVoxmgWl/8UHuPGFLCOH9iHzV5gqnQ15sHxDtJbG4XQSgk3YU
cSaUm3UAx56Q0BrFa1/sDaNbi295rIBz09fK6fBpF6Hc/wqdM2koKmwZDKbSA75x
Pa5eTe7vU5VZh6FeYahUPV0wZyQoYY2USYoWiD+3H5JtF5bXDx8z/KUktrmOXBQC
ChnJpgtoS9Z17PO7SG54Q/Wop7G6WFtZ7ydeETHiBnw2hTxHIS7J2WVl5HaGh0Q8
i9g+oDNlTT9/vfO9jEZ69ADojokq6r3xq9qt5EfPfElBZ71s4BR5Y9P6iUomEkaO
CNvJ26lK0v/XWb+Ai2pMoDPQUrCPcaFdXWBFCD19UL/kbvO3491bNvmmv128rgj/
5HHFdcMBu2JP1IZE+kkfgqiND90PKlwx090HyU2LjgWW1EBjLUilogzBJvnZL3EG
ALjbJH2pXnu+7wmkx7tNAjM75GWgjYb3S0MwxgReiH/Xc9IDKxa+GspvB9PZ+VWf
BRpZBDDwAAJw6hV26YoBDDG/UnQ+2Jo/fQ+yHysdY9folLdKWdanvkSsIf/LTf76
RBj7b+CZxJ0aNkFigi1HaMVbtT1fo3d/9+FwL2uiAs7Npm/91Q3BXvlzeuQtvKoO
W/wO61Tv/KKV8tr9e1GoUco3ypJY+6Ix/cieqzBMTZdYG28Wb3Y=
=bTzl
-----END PGP SIGNATURE-----
pgpuwIbK_IiPr.pgp
Description: PGP signature
--- End Message ---
