Yoga Series Release Notes¶
Fixed a security issue in how
s3apihandles XML parsing that allowed authenticated S3 clients to read arbitrary files from proxy servers. Refer to CVE-2022-47950 for more information.
Constant-time string comparisons are now used when checking S3 API signatures.
Fixed a path-rewriting bug introduced in Python 3.7.14, 3.8.14, 3.9.14, and 3.10.6 that could cause some
domain_remaprequests to be routed to the wrong object.
Improved compatibility with certain FIPS-mode-enabled systems.
This is the final stable branch that will support Python 2.7.
Fixed s3v4 signature calculation when the client sends an un-encoded path in the request.
Fixed multiple issues in s3api involving Multipart Uploads with non-ASCII names.
The object-updater now defers rate-limited updates to the end of its cycle; these deferred updates will be processed (at the limited rate) until the configured
intervalelapses. A new
max_deferred_updatesoption may be used to bound the deferral queue.
Empty account and container partition directories are now cleaned up immediately after replication, rather than needing to wait for an additional replication cycle.
The object-expirer now only cleans up empty containers. Previously, it would attempt to delete all processed containers, regardless of whether there were entries which were skipped or had errors.
item_size_warning_thresholdoption may be used to monitor for values that are approaching the limit of what can be stored in memcache. See the memcache sample config for more information.
Internal clients now correctly use their configured
User-Agentin backend requests, rather than only using it for logging.
Various other minor bug fixes and improvements.