#openstack-swift log

21:00:22 <timburke> #startmeeting swift
21:00:22 <opendevmeet> Meeting started Wed Jan 25 21:00:22 2023 UTC and is due to finish in 60 minutes.  The chair is timburke. Information about MeetBot at http://wiki.debian.org/MeetBot.
21:00:22 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
21:00:22 <opendevmeet> The meeting name has been set to 'swift'
21:00:33 <timburke> who's here for the swift team meeting?
21:00:38 <seongsoocho> o/
21:01:11 <indianwhocodes> o/
21:01:18 <zaitcev> Well, I am worried. The data model is kept, yes. So not as much forceful disruption. But they were throwing a bug down every goddamn release! Always something is screwed up in their eventlet or HTTP client.
21:01:36 <acoles> o/
21:02:10 <timburke> zaitcev, fair point -- good chance DHE will need to upgrade eventlet too
21:02:42 <timburke> as usual, the agenda's at
21:02:44 <timburke> #link https://wiki.openstack.org/wiki/Meetings/Swift
21:02:57 <timburke> first up
21:03:10 <timburke> #topic stable gate testing
21:03:31 <opendevreview> Merged openstack/swift stable/train: s3api: Prevent XXE injections  https://review.opendev.org/c/openstack/swift/+/871244
21:03:51 <timburke> just an fyi -- last week i talked about possibly removing integrated testing from older stable branches
21:04:51 <timburke> i went ahead and did that for train and ussuri. since they're in extended-maintenance mode already, i don't think there's much other notification we need to give, but wanted to make sure y'all are aware
21:05:32 <timburke> that was done to work around some broken jobs that were blocking...
21:05:40 <timburke> #topic CVE fixes
21:07:10 <timburke> as a refresher (i think seongsoocho may not have been here for the other meetings talking about it), a vulnerability was found in s3api's XML handling
21:07:13 <timburke> #link https://bugs.launchpad.net/swift/+bug/1998625
21:07:55 <timburke> it allows authenticated clients to read arbitrary files off swift proxy servers
21:08:31 <seongsoocho> Yes. Now I patch it in our production swift .  I tested it before, The CVE only occurs if the s3_acl option is enabled. the default is false.
21:08:40 <timburke> patches have now merged to master and most open stable branches -- zed through train
21:09:44 <timburke> seongsoocho, i'm pretty sure it would be exploitable via the delete-objects API -- i don't think that would be impacted by s3_acl
21:10:21 <timburke> but i suppose as long as your swift is updated, it doesn't matter too much now :-)
21:10:56 <timburke> patches have also been proposed to rocky and stein; i'll keep on them to get them merged
21:11:26 <timburke> any comments or questions about the CVE?
21:11:59 <seongsoocho> oh.. ok..  I've only reproduced it with xml files in the body of launchpad.  It can also be exploited with the delete-objects API....
21:12:55 <timburke> the unit test that was merged uses that api, fwiw -- in case you want a starting point to try it out with s3_acl disabled
21:13:40 <seongsoocho> ok I will check it. thanks
21:15:28 <timburke> also on my list is to get a release together, so we have a tag we can point to that isn't affected. i'll likely also propose stable releases back through xena
21:18:07 <timburke> the CVE's been my main focus for most of the last week -- i'm afraid i still haven't started on PTG prep, but i left it on the agenda to remind myself about it
21:18:17 <timburke> so i think that's all i've got
21:18:22 <timburke> #topic open discussion
21:18:40 <timburke> anything else we should bring up this week?
21:18:40 <acoles> timburke: thanks for all your work on the CVE and tests - seems like you got your priorities right :)
21:19:03 <seongsoocho> 👍  thanks timburke
21:20:38 <indianwhocodes> +1 timburke
21:22:15 <timburke> all right, i think i'll call it then
21:22:26 <timburke> thank you all for coming, and thank you for working on swift!
21:22:37 <timburke> #endmeeting