[Openstack-devel] Bug#700949: keystone, nova, cinder: Assigned CVEs and three CVEs rejected

[Salvatore Bonaccorso]

Hi Thomas

This is to notify you about a problem in the CVEs used: There was a
small unclear situation on assigning the CVEs for these issues
aparently, see [1].

 [1]: http://marc.info/?l=oss-security&m=136129931825949&w=2

In short: CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280 where
rejected and CVE-2013-1664 and CVE-2013-1665 to be used for the
respective issues.

----cut---------cut---------cut---------cut---------cut---------cut-----
- From Thierry Carrez:
====
After discussion with the Python security team and Kurt, we'll use the
following common CVEs:

CVE-2013-1664 Unrestricted entity expansion induces DoS
vulnerabilities in Python XML libraries (XML bomb)
^ affects Keystone, Cinder, Nova

CVE-2013-1665 External entity expansion in Python XML libraries
inflicts potential security flaws and DoS vulnerabilities
^ affects Keystone

The vulnerabilities are actually in those Python libraries, they are
just being worked around in OpenStack patches. The description will be
updated to clarify this (see below).
====

As you can see from the advisories:

http://seclists.org/oss-sec/2013/q1/338
CVE: CVE-2013-1664, CVE-2013-1665

They were correctly referenced in the OpenStack advisories, however
the CVE's did get used elsewhere:

http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html

CVE-2013-0278
    OpenStack Keystone
CVE-2013-0279
    Cinder
CVE-2013-0280
    Nova

So please REJECT CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280 and
use CVE-2013-1664, CVE-2013-1665 as appropriate instead to identify
these issues. Sorry for the confusion.
----cut---------cut---------cut---------cut---------cut---------cut-----

I know you have already updated the packages, if possible could you
change the CVE identifiers in the changelog in your next upload?

I will try to update the security-tracker with the above information.

Regards,
Salvatore