Open Stack

We are excited to announce the release of:

swift 2.29.2: OpenStack Object Storage

This release is part of the yoga stable release series.

The source is available from:

    https://opendev.org/openstack/swift

Download the package from:

    https://tarballs.openstack.org/swift/

Please report issues through:

    https://bugs.launchpad.net/swift/+bugs

For more details, please see below.

2.29.2
^^^^^^


Security Issues
***************

* Fixed a security issue in how "s3api" handles XML parsing that
  allowed authenticated S3 clients to read arbitrary files from proxy
  servers. Refer to CVE-2022-47950 for more information.

* Constant-time string comparisons are now used when checking S3 API
  signatures.


Bug Fixes
*********

* Fixed a path-rewriting bug introduced in Python 3.7.14, 3.8.14,
  3.9.14, and 3.10.6 that could cause some "domain_remap" requests to
  be routed to the wrong object.

* Improved compatibility with certain FIPS-mode-enabled systems.

Changes in swift 2.29.1..2.29.2
-------------------------------

198798312 Authors/ChangeLog for 2.29.2
d8d04ef43 s3api: Prevent XXE injections
e84cd4414 Fix docs build
8cf39653d [stable-only] Pin tox<4 for stable branches (<=stable/zed) testing
eb994ea50 CI: pin tox at the project level
a6a85919a Inline parse_request from cpython
4d6d6ba51 Extract SwiftHttpProtocol to its own module
5f45626fc playbooks: replace ansible_ssh_user with ansible_user
10849f049 py2constraints: pin PasteDeploy version
3e6ce930b CI: Add nslookup_target to FIPS jobs
00763d5a0 Stop partial()ing hashlib.new
7c888bf6c tests: Fix swiftclient/requests log level & Ignore py36 deprecation warnings
36ebcc848 s3api: Use constant-time string comparisons in check_signature
687515c06 Update TOX_CONSTRAINTS_FILE for stable/yoga
59e7ddd1b Update .gitreview for stable/yoga


Diffstat (except docs and test files)
-------------------------------------

.gitreview                                         |   1 +
.zuul.yaml                                         |   8 +-
AUTHORS                                            |   1 +
CHANGELOG                                          |  16 +
py2-constraints.txt                                |   1 +
.../notes/2_29_2_release-de619e50f10cc413.yaml     |  20 +
swift/__init__.py                                  |  10 +-
swift/common/http_protocol.py                      | 320 ++++++++++++++++
swift/common/middleware/s3api/etree.py             |   2 +-
swift/common/middleware/s3api/s3request.py         |   7 +-
swift/common/middleware/tempurl.py                 |   3 +-
swift/common/wsgi.py                               | 234 +-----------
test/__init__.py                                   |   4 +
test/functional/__init__.py                        |   3 +-
test/functional/s3api/test_xxe_injection.py        | 231 ++++++++++++
test/probe/test_sharder.py                         |   9 +-
.../common/middleware/s3api/test_multi_delete.py   |  40 ++
.../unit/common/middleware/s3api/test_s3request.py |  11 +
test/unit/common/test_http_protocol.py             | 412 +++++++++++++++++++++
test/unit/common/test_wsgi.py                      | 335 +----------------
test/unit/helpers.py                               |   2 +-
test/unit/proxy/test_server.py                     |   3 +-
tools/playbooks/common/install_dependencies.yaml   |  20 +-
tools/playbooks/dsvm/pre.yaml                      |   8 +-
tools/playbooks/multinode_setup/common_config.yaml |   4 +-
tools/playbooks/multinode_setup/make_rings.yaml    |   8 +-
tools/playbooks/multinode_setup/pre.yaml           |   8 +-
tools/playbooks/multinode_setup/run.yaml           |   2 +-
.../templates/make_multinode_rings.j2              |   2 +-
.../saio_single_node_setup/setup_saio.yaml         |  14 +-
tox.ini                                            |   7 +-
31 files changed, 1139 insertions(+), 607 deletions(-)