-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 31 Oct 2025 01:49:35 +0100
Source: swift
Binary: python3-swift swift swift-account swift-container swift-doc swift-drive-audit swift-object swift-object-expirer swift-proxy
Architecture: all
Version: 2.35.1-0+deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: all Build Daemon (x86-csail-02) <buildd_all-x86-csail-02@buildd.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 python3-swift - distributed virtual object store - Python 3 libraries
 swift      - distributed virtual object store - common files
 swift-account - distributed virtual object store - account server
 swift-container - distributed virtual object store - container server
 swift-doc  - distributed virtual object store - documentation
 swift-drive-audit - distributed virtual object store - drive audit
 swift-object - distributed virtual object store - object server
 swift-object-expirer - distributed virtual object store - object-expirer
 swift-proxy - distributed virtual object store - proxy server
Closes: 1120057
Changes:
 swift (2.35.1-0+deb13u1) trixie-security; urgency=medium
 .
   * New upstream point release:
     This new point release adds the feature to allow the use of aws-chunked
     transfer encoding. This is important because most S3 clients are using the
     boto library that has dropped support for any other protocol. This
     upstream point release contains only that change, which is minimal and
     will not affect any deployment other than accepting aws-chunked transfer.
   * Blacklist 2 unit tests that require isal lib to be installed:
     - test_sig_v4_strm_unsgnd_pyld_trl_checksum_hdr_unsupported
     - test_get_checksum_hasher
   * OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
     s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from
     a presigned S3 URL), an unauthenticated attacker may obtain Keystone
     authorization (ec2tokens can yield a fully scoped token; s3tokens can
     reveal scope accepted by some services), resulting in unauthorized access
     and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens
     are reachable by unauthenticated clients (e.g., exposed on a public API)
     are affected.
     Swift needs to be modified to accept the fix for Keystone, otherwise S3
     authentication will stop working.
     Deployers are advised to update Swift first, as the patched swift will work
     with unpatched keystone, while the opposite isn't true.
     Applied upstream patch (Closes: #1120057):
     Add bug-2119646-swift.patch, which offers swift side compatibility with the
     keystone fix.
Checksums-Sha1:
 3bf022817f5d2c0be9ed7f803b95fac6b518a897 737120 python3-swift_2.35.1-0+deb13u1_all.deb
 790a2654b9da989c50dc26249117304f3271cd60 98252 swift-account_2.35.1-0+deb13u1_all.deb
 9a6ec16c7e554a5e3eaf7c546218c405863c61b1 104416 swift-container_2.35.1-0+deb13u1_all.deb
 5e90f6f4cfcbfd3f9d0b47ff284e771e8a8b1266 2362416 swift-doc_2.35.1-0+deb13u1_all.deb
 53f7b497ebf4def6c0d413f86cbfbd2dc301d6af 79168 swift-drive-audit_2.35.1-0+deb13u1_all.deb
 cc263ed0c1436d6dc052e19edc8fa9567ec0afd5 83164 swift-object-expirer_2.35.1-0+deb13u1_all.deb
 4dc4a8ec2b21c0575446c2f9612bb37396de2340 112372 swift-object_2.35.1-0+deb13u1_all.deb
 f6e4d36ffb9bad4d0f42259828318f595385d233 114572 swift-proxy_2.35.1-0+deb13u1_all.deb
 5c128e39383e6497536ca8730c8d4b23e8a9e53d 14321 swift_2.35.1-0+deb13u1_all-buildd.buildinfo
 fffee4959743038bb14b03094d7674911bcf0a26 104512 swift_2.35.1-0+deb13u1_all.deb
Checksums-Sha256:
 806ae0a90a2b0d83ad43479285737f5fb1003de4e42b3e3ab362d9165dbc9255 737120 python3-swift_2.35.1-0+deb13u1_all.deb
 440a0e7b4ceea3eb05a0002240a6a7dcb33b0f846740afef7bd77ab3e9f93707 98252 swift-account_2.35.1-0+deb13u1_all.deb
 d4074c6be9fc69380c5e75e3d876c248bc076e90a65fe34300fafd79688f3d92 104416 swift-container_2.35.1-0+deb13u1_all.deb
 2eb47885ccf3667e202f75c5448e40706c738dff0f69c82d292864f8387518a5 2362416 swift-doc_2.35.1-0+deb13u1_all.deb
 493689311c667cedb72124b635f159660d09c2cc301027411e958e7760e737b5 79168 swift-drive-audit_2.35.1-0+deb13u1_all.deb
 b9d91bdb1d18629ab2df9efb9e52dcd8358d3123f83dbaf28bb15974052cf67c 83164 swift-object-expirer_2.35.1-0+deb13u1_all.deb
 050b21f11464d365c7060057b81727628a03c2a74252a808992806dfa8fdd992 112372 swift-object_2.35.1-0+deb13u1_all.deb
 3846ae517963ec2a70ad7660c8f1081a244a69e89a0e818d6875ae07cbe61afc 114572 swift-proxy_2.35.1-0+deb13u1_all.deb
 8ce7a23cf70ff18db1945fc74b839c00122cdc2e6bd0719b221aca259d4a20d1 14321 swift_2.35.1-0+deb13u1_all-buildd.buildinfo
 42bcc470e6fdc2773d1f7451c1793868aa56cbef4e7e8859be2efca127766119 104512 swift_2.35.1-0+deb13u1_all.deb
Files:
 e252628922a6ddd712f4ff8eb34a5829 737120 python optional python3-swift_2.35.1-0+deb13u1_all.deb
 91131a90d1fb4e6adbfffe47bb7e17dc 98252 net optional swift-account_2.35.1-0+deb13u1_all.deb
 a1b73865048d61e5c543fdef37540a44 104416 net optional swift-container_2.35.1-0+deb13u1_all.deb
 55882382113230dece9c375fccfd2416 2362416 doc optional swift-doc_2.35.1-0+deb13u1_all.deb
 1285f92912f2481df46756b54c509b7d 79168 net optional swift-drive-audit_2.35.1-0+deb13u1_all.deb
 468ab85cabd5894548a94599a67c7491 83164 net optional swift-object-expirer_2.35.1-0+deb13u1_all.deb
 9ac34c8cb616c4cb197715f4be107ce2 112372 net optional swift-object_2.35.1-0+deb13u1_all.deb
 25e42d1e3b006e9231e8d3187a76f7e8 114572 net optional swift-proxy_2.35.1-0+deb13u1_all.deb
 e5c0a994a513cacb43ff194783b5b9d0 14321 net optional swift_2.35.1-0+deb13u1_all-buildd.buildinfo
 87a5a6c1f7b995bde40973d156603496 104512 net optional swift_2.35.1-0+deb13u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEELusn8jY95Sf7obGlx30Wh8LXl/YFAmkS9mgACgkQx30Wh8LX
l/aurBAAqRBHLEXpJj7vFDrx1xADrV/MWedjrOhzVbL7aokUTEvfiNDHaDGCq8Dv
DbVhoGVlnbiLXhIymebLGSoTGRSPLsQ/tpvu0kqzwpuzydMW/smtsERzRB3XLbJC
9fWUr4yoAeOhNN6Kfv8aQIIBUmfdfOG+psLfpVwUUhgswvsD9LC9QJnlOHbVOr0t
tQCWgE5HHs2yClNX9zeLwvqvRIQUva04cRkKwtaiO+ConPHwubt3cr8dPIhs0l5W
AnxQKi+qeaczs4Q6OwDu1qIgtrT9WBdrOnBjdc1qLTe6cbqLD/4eSI/t9HlNM3jX
O8BgR4fuplMaIMu1LVWJDLlhKWhBMCeMNjiP4Y8ba18Z07U7TfOFUboBVqvoatx/
Vd0qiuL3r/LOJ8vgx2QQuenssCRnnMepYStlTK1u5a1NYFToMuI+pVzOx5PVzAwl
e9vLj9bOXOslwScDssD/WoIZP8OgB242xKGyGo/fajZayn8A+jJClu7oShUYM4c2
KdBqWUpsKYVh2tYNvBNxYemdWfNyhFT5Xmqxkr/s15fDY0LGyZBaU80u9n/JjGDN
VZ4bPLvOC4B+5mKqcb8iJfj3T/k1eid7jHApeCr3zMvJIgk0LndLb/rgzMKX/wC6
UyU3nPCg1GykU892o6tFP9nShJ7lMpqsRMgv7GkDLehN3H3+uTs=
=AW5x
-----END PGP SIGNATURE-----