Yoga Series Release Notes

2.29.2

Security Issues

  • Fixed a security issue in how s3api handles XML parsing that allowed authenticated S3 clients to read arbitrary files from proxy servers. Refer to CVE-2022-47950 for more information.

  • Constant-time string comparisons are now used when checking S3 API signatures.

Bug Fixes

  • Fixed a path-rewriting bug introduced in Python 3.7.14, 3.8.14, 3.9.14, and 3.10.6 that could cause some domain_remap requests to be routed to the wrong object.

  • Improved compatibility with certain FIPS-mode-enabled systems.

2.29.1

Deprecation Notes

  • This is the final stable branch that will support Python 2.7.

Bug Fixes

  • Fixed s3v4 signature calculation when the client sends an un-encoded path in the request.

  • Fixed multiple issues in s3api involving Multipart Uploads with non-ASCII names.

  • The object-updater now defers rate-limited updates to the end of its cycle; these deferred updates will be processed (at the limited rate) until the configured interval elapses. A new max_deferred_updates option may be used to bound the deferral queue.

  • Empty account and container partition directories are now cleaned up immediately after replication, rather than needing to wait for an additional replication cycle.

  • The object-expirer now only cleans up empty containers. Previously, it would attempt to delete all processed containers, regardless of whether there were entries which were skipped or had errors.

  • A new item_size_warning_threshold option may be used to monitor for values that are approaching the limit of what can be stored in memcache. See the memcache sample config for more information.

  • Internal clients now correctly use their configured User-Agent in backend requests, rather than only using it for logging.

  • Various other minor bug fixes and improvements.