Your message dated Wed, 25 Jan 2023 19:49:58 +0000 with message-id <e1pklmq-005wls...@fasolo.debian.org> and subject line Bug#1029200: fixed in swift 2.26.0-10+deb11u1 has caused the Debian Bug report #1029200, regarding swift: CVE-2022-47950 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1029200: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029200 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: swift X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for swift. CVE-2022-47950: OSSA-2023-001: Arbitrary file access through custom S3 XML entities Sébastien Meriot (OVH) reported a vulnerability in Swift's S3 XML parser. By supplying specially crafted XML files an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server resulting in unauthorized read access to potentially sensitive data; this impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed). Only deployments with S3 compatibility enabled are affected. https://www.openwall.com/lists/oss-security/2023/01/17/1 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-47950 https://www.cve.org/CVERecord?id=CVE-2022-47950 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: swift Source-Version: 2.26.0-10+deb11u1 Done: Thomas Goirand <z...@debian.org> We believe that the bug you reported is fixed in the latest version of swift, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1029...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated swift package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 19 Jan 2023 17:07:48 +0100 Source: swift Architecture: source Version: 2.26.0-10+deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Debian OpenStack <team+openst...@tracker.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Closes: 1029200 Changes: swift (2.26.0-10+deb11u1) bullseye-security; urgency=medium . * CVE-2022-47950 / OSSA-2023-001: Arbitrary file access through custom S3 XML entities. Add upstream patch backported to Bullseye: CVE-2022-47950-stable-victoria.patch (Closes: #1029200). * Exclude test TestCNAMELookup.test_host_is_storage_domain(). Checksums-Sha1: 342039f97da0f053e6743b98af2a05a3fd8189a6 3331 swift_2.26.0-10+deb11u1.dsc 25d8adad840c4da26213d01ecbc2541216c846a3 2302476 swift_2.26.0.orig.tar.xz ac4a72c7311d3d963586b164a543323e564e535f 26220 swift_2.26.0-10+deb11u1.debian.tar.xz 0a9351e376484f3b9a8cabd6aa7dd9451649aacd 15172 swift_2.26.0-10+deb11u1_amd64.buildinfo Checksums-Sha256: 4c8b3083b0438ac282174db9d808fed50c454b48a4b53dbacfdfac2079808df5 3331 swift_2.26.0-10+deb11u1.dsc 68b57dce54445c4d0554dbf9efc112eccc1fd961e75015900474d8cae013ead9 2302476 swift_2.26.0.orig.tar.xz 16955caed337163096dc9b7a6f4b1ef78ac4753f31498bacef35bd666c5eb2cd 26220 swift_2.26.0-10+deb11u1.debian.tar.xz 0f653bd60f337e1143c0721c51950d7f7ce846c7a9d2dae31e75e8717e34454b 15172 swift_2.26.0-10+deb11u1_amd64.buildinfo Files: 41f851b43a8b358fff7b31e39c104186 3331 net optional swift_2.26.0-10+deb11u1.dsc 611351b21eade1272085bddcea8259a1 2302476 net optional swift_2.26.0.orig.tar.xz ba3f5f5b8b1af62b23151e5928e06724 26220 net optional swift_2.26.0-10+deb11u1.debian.tar.xz 4a086a53f4d6feae529374c62e14d014 15172 net optional swift_2.26.0-10+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE3+Kkgn20FPaRPp/ST56os/RrPrsFAmPKUs8ACgkQT56os/Rr PrtVfRAAh49w0DFqyrehSNr/eX5TT7h7KVtxTUOaK2RNxu4D5UNF0XNQ04Irzvpd A3ZxZFm2gzd2xvP62blfXeRb4se3B/BlvR0dyKFnr76vKSG/PuOVmMUosL0Gsvnv FryvzJ/v9XAinnp0QADdKgrBhY6omPbCia1ic+S2JtcUomzCGLuSPZm1O5OV3kIL Q5Ujtg9w1RO9uo5hOyILA+kkFvLYfeu4vJcofrQsikUca13GQab4QwBGJJ3/AVPl V9bTrAa1na4wXPJCPzz+KB1q9JnmOvbbfkXxByECyOYOXL0WnQG3IKJi/AwKHlpC GpiwEWM+pZtxpfO67DIDIaBCKyChQRHEkLwLo31kA/gurdOzNloe6Hc60agysYqf bDdJqAqiSezs30k7Pi9toEUmMmc8pAAICTial0AWwByyzP84gNMyqgd++i+KSdya lYv1/z6mRNmRNrEMjTivSqeRVGzLzJoS0aeln11qQF5HajoEccloRAxNXH5kOxRm O0Y5nIR3r19wITGIerQisYKZzwwlk0kT0Pl8NjGeYsbAZydq5iLct66Uv8myXzhA 7zgxGw80Mhc0xVxzkYlNIOX9SYS5khCsAZrWEhUss9RdpvECf0hWx69Pt6xQ9nEH eo9jm+1zXK/Vvzl40iWT8YgsLLvn79GZ5cgL2uj30p3HMPStk3w= =/Vvw -----END PGP SIGNATURE-----
--- End Message ---
