We are satisfied to announce the release of: swift 2.30.1: OpenStack Object Storage This release is part of the zed stable release series. The source is available from: https://opendev.org/openstack/swift Download the package from: https://tarballs.openstack.org/swift/ Please report issues through: https://bugs.launchpad.net/swift/+bugs For more details, please see below. 2.30.1 ^^^^^^ Security Issues *************** * Fixed a security issue in how "s3api" handles XML parsing that allowed authenticated S3 clients to read arbitrary files from proxy servers. Refer to CVE-2022-47950 for more information. Bug Fixes ********* * Fixed a path-rewriting bug introduced in Python 3.7.14, 3.8.14, 3.9.14, and 3.10.6 that could cause some "domain_remap" requests to be routed to the wrong object. Changes in swift 2.30.0..2.30.1 ------------------------------- fbec7694e Authors/ChangeLog for 2.30.1 041cb672e tests: Ensure XXE injection tests have config loaded d444fc73b Fix docs build 8dd96470a s3api: Prevent XXE injections a2d363de6 [stable-only] Pin tox<4 for stable branches (<=stable/zed) testing 191bb266d CI: pin tox at the project level 5637dddcd CI: Pin tox<4 on stable branches aa81e4f2b Inline parse_request from cpython f37cf45f7 Extract SwiftHttpProtocol to its own module c8662c6f0 Mark rolling-upgrade job non-voting 88e3f7be9 Fix Zed CI 6fd031055 Migrate CentOS Stream 8 FIPS job to CentOS Stream 9 49d35e0c3 Update TOX_CONSTRAINTS_FILE for stable/zed 86c46d614 Update .gitreview for stable/zed Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + .mailmap | 1 + .zuul.yaml | 75 ++-- AUTHORS | 3 +- CHANGELOG | 13 +- py2-constraints.txt | 1 + .../notes/2_30_1_release-856dd70ec466aa74.yaml | 13 + swift/__init__.py | 10 +- swift/common/http_protocol.py | 320 ++++++++++++++++ swift/common/middleware/s3api/etree.py | 2 +- swift/common/wsgi.py | 234 +----------- test/functional/__init__.py | 3 +- test/functional/s3api/test_xxe_injection.py | 231 ++++++++++++ .../common/middleware/s3api/test_multi_delete.py | 40 ++ test/unit/common/test_http_protocol.py | 412 +++++++++++++++++++++ test/unit/common/test_wsgi.py | 335 +---------------- test/unit/helpers.py | 2 +- test/unit/proxy/test_server.py | 3 +- tools/playbooks/common/install_dependencies.yaml | 20 +- tools/playbooks/dsvm/pre.yaml | 8 +- tools/playbooks/multinode_setup/common_config.yaml | 4 +- tools/playbooks/multinode_setup/make_rings.yaml | 8 +- tools/playbooks/multinode_setup/pre.yaml | 8 +- tools/playbooks/multinode_setup/run.yaml | 2 +- .../templates/make_multinode_rings.j2 | 2 +- .../saio_single_node_setup/setup_saio.yaml | 14 +- tools/test-setup.sh | 12 + tox.ini | 7 +- 29 files changed, 1155 insertions(+), 637 deletions(-)