[Openstack-devel] Bug#700949: keystone, nova, cinder: Assigned CVEs and three CVEs rejected
Salvatore Bonaccorso
carnil at debian.org
Tue Feb 19 21:46:46 UTC 2013
Hi Thomas
This is to notify you about a problem in the CVEs used: There was a
small unclear situation on assigning the CVEs for these issues
aparently, see [1].
[1]: http://marc.info/?l=oss-security&m=136129931825949&w=2
In short: CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280 where
rejected and CVE-2013-1664 and CVE-2013-1665 to be used for the
respective issues.
----cut---------cut---------cut---------cut---------cut---------cut-----
- From Thierry Carrez:
====
After discussion with the Python security team and Kurt, we'll use the
following common CVEs:
CVE-2013-1664 Unrestricted entity expansion induces DoS
vulnerabilities in Python XML libraries (XML bomb)
^ affects Keystone, Cinder, Nova
CVE-2013-1665 External entity expansion in Python XML libraries
inflicts potential security flaws and DoS vulnerabilities
^ affects Keystone
The vulnerabilities are actually in those Python libraries, they are
just being worked around in OpenStack patches. The description will be
updated to clarify this (see below).
====
As you can see from the advisories:
http://seclists.org/oss-sec/2013/q1/338
CVE: CVE-2013-1664, CVE-2013-1665
They were correctly referenced in the OpenStack advisories, however
the CVE's did get used elsewhere:
http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html
CVE-2013-0278
OpenStack Keystone
CVE-2013-0279
Cinder
CVE-2013-0280
Nova
So please REJECT CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280 and
use CVE-2013-1664, CVE-2013-1665 as appropriate instead to identify
these issues. Sorry for the confusion.
----cut---------cut---------cut---------cut---------cut---------cut-----
I know you have already updated the packages, if possible could you
change the CVE identifiers in the changelog in your next upload?
I will try to update the security-tracker with the above information.
Regards,
Salvatore
More information about the Openstack-devel
mailing list