We are satisfied to announce the release of: swift 2.28.1: OpenStack Object Storage This release is part of the xena stable release series. The source is available from: https://opendev.org/openstack/swift Download the package from: https://tarballs.openstack.org/swift/ Please report issues through: https://bugs.launchpad.net/swift/+bugs For more details, please see below. 2.28.1 ^^^^^^ Security Issues *************** * Fixed a security issue in how "s3api" handles XML parsing that allowed authenticated S3 clients to read arbitrary files from proxy servers. Refer to CVE-2022-47950 for more information. * Constant-time string comparisons are now used when checking S3 API signatures. Bug Fixes ********* * Fixed a path-rewriting bug introduced in Python 3.7.14, 3.8.14, 3.9.14, and 3.10.6 that could cause some "domain_remap" requests to be routed to the wrong object. * Improved compatibility with certain FIPS-mode-enabled systems. * Ensure that non-durable data and .meta files are purged from handoffs after syncing. Changes in swift 2.28.0..2.28.1 ------------------------------- b1916f81e Authors/ChangeLog for 2.28.1 7d13d1a82 s3api: Prevent XXE injections 29f10ecff Fix docs build 8aface90d [stable-only] Pin tox<4 for stable branches (<=stable/zed) testing ac05ac89b CI: pin tox at the project level a196790cc Inline parse_request from cpython 75aae4c1b Extract SwiftHttpProtocol to its own module 9a7562d60 playbooks: replace ansible_ssh_user with ansible_user d05ddb036 py2constraints: pin PasteDeploy version b8b3f044f CI: Add nslookup_target to FIPS jobs c6c51be17 Stop partial()ing hashlib.new 880422583 tests: Fix swiftclient/requests log level & Ignore py36 deprecation warnings 0fa745c7f s3api: Use constant-time string comparisons in check_signature a1c33839e CI: remove swift-tox-func-encryption-py36-centos-8 job 01955bc1b Add FIPS CI jobs 71b491b05 Fix arm64 jobs on stable/xena 68bd795a6 Fix cname_lookup test 8c41bf79b reconstructor: remove non-durable files on handoffs 7520aada3 Update TOX_CONSTRAINTS_FILE for stable/xena 29c314ea7 Update .gitreview for stable/xena Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + .zuul.yaml | 112 ++++-- AUTHORS | 3 + CHANGELOG | 20 +- py2-constraints.txt | 1 + .../notes/2_28_1_release-f71f8c034dd44ce7.yaml | 24 ++ swift/__init__.py | 6 +- swift/common/http_protocol.py | 320 ++++++++++++++++ swift/common/middleware/s3api/etree.py | 2 +- swift/common/middleware/s3api/s3request.py | 6 +- swift/common/middleware/tempurl.py | 3 +- swift/common/wsgi.py | 234 +----------- swift/obj/diskfile.py | 14 +- test/__init__.py | 4 + test/functional/__init__.py | 3 +- test/functional/s3api/test_xxe_injection.py | 233 ++++++++++++ test/probe/test_sharder.py | 9 +- .../common/middleware/s3api/test_multi_delete.py | 40 ++ .../unit/common/middleware/s3api/test_s3request.py | 11 + test/unit/common/middleware/test_cname_lookup.py | 7 +- test/unit/common/test_http_protocol.py | 412 +++++++++++++++++++++ test/unit/common/test_wsgi.py | 335 +---------------- test/unit/helpers.py | 2 +- test/unit/obj/test_reconstructor.py | 6 +- test/unit/proxy/test_server.py | 3 +- tools/playbooks/common/install_dependencies.yaml | 20 +- tools/playbooks/dsvm/pre.yaml | 8 +- tools/playbooks/multinode_setup/common_config.yaml | 4 +- tools/playbooks/multinode_setup/make_rings.yaml | 8 +- tools/playbooks/multinode_setup/pre.yaml | 8 +- tools/playbooks/multinode_setup/run.yaml | 2 +- .../templates/make_multinode_rings.j2 | 2 +- .../saio_single_node_setup/setup_saio.yaml | 14 +- tox.ini | 7 +- 34 files changed, 1240 insertions(+), 644 deletions(-)