chore(deps): update dependency aws-sdk-s3 to v1.208.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
aws-sdk-s3 (source, changelog)	1.182.0 -> 1.208.0

GitHub Vulnerability Alerts

CVE-2025-14762

Summary

S3 Encryption Client for Ruby is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3.

When the encrypted data key (EDK) is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamanders" attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key.

Impact

Background - Key Commitment

There is a cryptographic property whereby under certain conditions, a single ciphertext can be decrypted into 2 different plaintexts by using different encryption keys. To address this issue, strong encryption schemes use what is known as "key commitment", a process by which an encrypted message can only be decrypted by one key; the key used to originally encrypt the message.

In older versions of S3EC, when customers are also using a feature called "Instruction File" to store EDKs, key commitment is not implemented because multiple EDKs could be associated to an underlying encrypted message object. For such customers an attack that leverages the lack of key commitment is possible. A bad actor would need two things to leverage this issue: (i) the ability to create a separate, rogue, EDK that will also decrypt the underlying object to produce desired plaintext, and (ii) permission to upload a new instruction file to the S3 bucket to replace the existing instruction file placed there by the user using the S3C. Any future attempt to decrypt the underlying encrypted message with the S3EC will unwittingly use the rogue EDK to produce a valid plaintext message.

Impacted versions: <= 1.207.0

Patches

We are introducing the concept of "key commitment" to S3EC where the EDK is cryptographically bound to the ciphertext in order to address this issue. In order to maintain compatibility for in-flight messages we are releasing the fix in two versions. A code-compatible minor version that can read messages with key-commitment but not write them, and a new major version that can both read and write messages with key-commitment. For maximum safety customers are asked to upgrade to the latest major version: 1.208.0 or later.

Workarounds

There are no workarounds, please upgrade to the suggested version of S3EC.

References

If customers have any questions or comments about this advisory, AWS SDK for Ruby asks that they contact AWS Security via the issue reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

---

Release Notes

aws/aws-sdk-ruby (aws-sdk-s3)

v1.208.0

• Feature - Updates to the S3 Encryption Client. The V3 S3 Encryption Client now requires key committing algorithm suites by default.

v1.207.0

• Feature - This release adds support for the new optional field 'LifecycleExpirationDate' in S3 Inventory configurations.

v1.206.0

• Feature - New S3 Storage Class FSX_ONTAP

v1.205.0

• Feature - Enable / Disable ABAC on a general purpose bucket.

v1.204.0

• Feature - Adds support for blocking SSE-C writes to general purpose buckets.

v1.203.1

• Issue - Deprecated :checksum_mode parameter in FileDownloader#download. When set to "DISABLED", a deprecation warning is issued and the parameter is ignored. Use :response_checksum_validation on the S3 client instead to control checksum validation behavior.

v1.203.0

• Feature - Launch IPv6 dual-stack support for S3 Express

v1.202.0

• Feature - Amazon Simple Storage Service / Features: Add conditional writes in CopyObject on destination key to prevent unintended object modifications.

v1.201.0

• Feature - Code Generated Changes, see ./build_tools or aws-sdk-core's CHANGELOG.md for details.

• Issue - Fix multipart upload to respect request_checksum_calculation when_required mode.

v1.200.0

• Feature - Add lightweight thread pool executor for multipart download_file, upload_file and upload_stream.

• Feature - Add custom executor support for Aws::S3::TransferManager.

v1.199.1

• Issue - Update TransferManager#download_file and Object#download_file documentation regarding temporary file usage and failure handling for different destination types.

v1.199.0

• Feature - This release includes backward compatibility work on the "Expires" parameter.

v1.198.0

• Feature - Code Generated Changes, see ./build_tools or aws-sdk-core's CHANGELOG.md for details.

• Issue - Fix multipart download_file to support Pathname, File and Tempfile objects as download destinations.

v1.197.0

• Issue - When multipart stream uploader fails to complete multipart upload, it calls abort multipart upload.

• Issue - For Aws::S3::Object class, the following methods have been deprecated: download_file, upload_file and upload_stream. Use Aws::S3::TransferManager instead.

• Feature - Add Aws::S3::TransferManager, a S3 transfer utility that provides upload/download capabilities with automatic multipart handling, progress tracking, and handling of large files.

v1.196.1

• Issue - Add range validation to multipart download to ensure all parts are successfully processed.

• Issue - When multipart uploader fails to complete multipart upload, it calls abort multipart upload.

• Issue - Clean up partially downloaded file on multipart download_file failure while preserving existing file.

v1.196.0

• Feature - Code Generated Changes, see ./build_tools or aws-sdk-core's CHANGELOG.md for details.

v1.195.0

• Feature - Code Generated Changes, see ./build_tools or aws-sdk-core's CHANGELOG.md for details.

v1.194.0

• Feature - Code Generated Changes, see ./build_tools or aws-sdk-core's CHANGELOG.md for details.

v1.193.0

• Feature - Amazon S3 Metadata live inventory tables provide a queryable inventory of all the objects in your general purpose bucket so that you can determine the latest state of your data. To help minimize your storage costs, use journal table record expiration to set a retention period for your records.

v1.192.0

• Feature - Added support for directory bucket creation with tags and bucket ARN retrieval in CreateBucket, ListDirectoryBuckets, and HeadBucket operations

v1.191.0

• Feature - Adds support for additional server-side encryption mode and storage class values for accessing Amazon FSx data from Amazon S3 using S3 Access Points

v1.190.0

• Feature - Added support for renaming objects within the same bucket using the new RenameObject API.

v1.189.1

• Issue - Only load required cgi modules for Ruby 3.5.

v1.189.0

• Feature - Code Generated Changes, see ./build_tools or aws-sdk-core's CHANGELOG.md for details.

v1.188.0

• Feature - Adding checksum support for S3 PutBucketOwnershipControls API.

v1.187.0

• Feature - Code Generated Changes, see ./build_tools or aws-sdk-core's CHANGELOG.md for details.

• Issue - Signal data in http response listeners prior to writing, so that data can be inspected or verified before potential mutation.

v1.186.1

• Issue - Abort multipart download if object is modified during download.

v1.186.0

• Feature - Code Generated Changes, see ./build_tools or aws-sdk-core's CHANGELOG.md for details.

v1.185.0

• Feature - Code Generated Changes, see ./build_tools or aws-sdk-core's CHANGELOG.md for details.

v1.184.0

• Feature - Code Generated Changes, see ./build_tools or aws-sdk-core's CHANGELOG.md for details.

v1.183.0

• Feature - Amazon S3 adds support for S3 Access Points for directory buckets in AWS Dedicated Local Zones

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.