Your message dated Wed, 25 Jan 2023 19:49:58 +0000 with message-id <e1pklmq-005wls...@fasolo.debian.org> and subject line Bug#1029200: fixed in swift 2.26.0-10+deb11u1 has caused the Debian Bug report #1029200, regarding CVE-2022-47950: Arbitrary file access through custom S3 XML entities to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1029200: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029200 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: swift-proxy Version: 2.26.0-10 Severity: serious Tags: patch Title: Arbitrary file access through custom S3 XML entities Reporter: Sébastien Meriot (OVH) Products: Swift Affects: <2.28.1, >=2.29.0 <2.29.2, ==2.30.0 Description: Sébastien Meriot (OVH) reported a vulnerability in Swift's S3 XML parser. By supplying specially crafted XML files an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server resulting in unauthorized read access to potentially sensitive data; this impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed). Only deployments with S3 compatibility enabled are affected. See attached patches. Unless a flaw is discovered in them, these patches will be merged to their corresponding branches on the public disclosure date. The master branch patch applies cleanly to stable/zed, stable/yoga, stable/xena and stable/wallaby branches, but separate copies of it are attached for each for the sake of clarity. The fix could be applied with some fuzz to branches as old as stable/train, and with some minor unit test adjustments as far back as stable/rocky. Note that the stable/wallaby branch is under extended maintenance (as are older branches) and will receive no new point releases, but a patch for it is provided as a courtesy. CVE: CVE-2022-47950 Proposed public disclosure date/time: 2023-01-17, 1500UTC Please do not make the issue public (or release public patches) before this coordinated embargo date. Original private report: https://launchpad.net/bugs/1998625 For access to read and comment on this report, please reply to me with your Launchpad username and I will subscribe you.
--- End Message ---
--- Begin Message ---Source: swift Source-Version: 2.26.0-10+deb11u1 Done: Thomas Goirand <z...@debian.org> We believe that the bug you reported is fixed in the latest version of swift, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1029...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated swift package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 19 Jan 2023 17:07:48 +0100 Source: swift Architecture: source Version: 2.26.0-10+deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Debian OpenStack <team+openst...@tracker.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Closes: 1029200 Changes: swift (2.26.0-10+deb11u1) bullseye-security; urgency=medium . * CVE-2022-47950 / OSSA-2023-001: Arbitrary file access through custom S3 XML entities. Add upstream patch backported to Bullseye: CVE-2022-47950-stable-victoria.patch (Closes: #1029200). * Exclude test TestCNAMELookup.test_host_is_storage_domain(). Checksums-Sha1: 342039f97da0f053e6743b98af2a05a3fd8189a6 3331 swift_2.26.0-10+deb11u1.dsc 25d8adad840c4da26213d01ecbc2541216c846a3 2302476 swift_2.26.0.orig.tar.xz ac4a72c7311d3d963586b164a543323e564e535f 26220 swift_2.26.0-10+deb11u1.debian.tar.xz 0a9351e376484f3b9a8cabd6aa7dd9451649aacd 15172 swift_2.26.0-10+deb11u1_amd64.buildinfo Checksums-Sha256: 4c8b3083b0438ac282174db9d808fed50c454b48a4b53dbacfdfac2079808df5 3331 swift_2.26.0-10+deb11u1.dsc 68b57dce54445c4d0554dbf9efc112eccc1fd961e75015900474d8cae013ead9 2302476 swift_2.26.0.orig.tar.xz 16955caed337163096dc9b7a6f4b1ef78ac4753f31498bacef35bd666c5eb2cd 26220 swift_2.26.0-10+deb11u1.debian.tar.xz 0f653bd60f337e1143c0721c51950d7f7ce846c7a9d2dae31e75e8717e34454b 15172 swift_2.26.0-10+deb11u1_amd64.buildinfo Files: 41f851b43a8b358fff7b31e39c104186 3331 net optional swift_2.26.0-10+deb11u1.dsc 611351b21eade1272085bddcea8259a1 2302476 net optional swift_2.26.0.orig.tar.xz ba3f5f5b8b1af62b23151e5928e06724 26220 net optional swift_2.26.0-10+deb11u1.debian.tar.xz 4a086a53f4d6feae529374c62e14d014 15172 net optional swift_2.26.0-10+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE3+Kkgn20FPaRPp/ST56os/RrPrsFAmPKUs8ACgkQT56os/Rr PrtVfRAAh49w0DFqyrehSNr/eX5TT7h7KVtxTUOaK2RNxu4D5UNF0XNQ04Irzvpd A3ZxZFm2gzd2xvP62blfXeRb4se3B/BlvR0dyKFnr76vKSG/PuOVmMUosL0Gsvnv FryvzJ/v9XAinnp0QADdKgrBhY6omPbCia1ic+S2JtcUomzCGLuSPZm1O5OV3kIL Q5Ujtg9w1RO9uo5hOyILA+kkFvLYfeu4vJcofrQsikUca13GQab4QwBGJJ3/AVPl V9bTrAa1na4wXPJCPzz+KB1q9JnmOvbbfkXxByECyOYOXL0WnQG3IKJi/AwKHlpC GpiwEWM+pZtxpfO67DIDIaBCKyChQRHEkLwLo31kA/gurdOzNloe6Hc60agysYqf bDdJqAqiSezs30k7Pi9toEUmMmc8pAAICTial0AWwByyzP84gNMyqgd++i+KSdya lYv1/z6mRNmRNrEMjTivSqeRVGzLzJoS0aeln11qQF5HajoEccloRAxNXH5kOxRm O0Y5nIR3r19wITGIerQisYKZzwwlk0kT0Pl8NjGeYsbAZydq5iLct66Uv8myXzhA 7zgxGw80Mhc0xVxzkYlNIOX9SYS5khCsAZrWEhUss9RdpvECf0hWx69Pt6xQ9nEH eo9jm+1zXK/Vvzl40iWT8YgsLLvn79GZ5cgL2uj30p3HMPStk3w= =/Vvw -----END PGP SIGNATURE-----
--- End Message ---
