[PKG-Openstack-devel] Bug#850716: XML External Entity attack

Salvatore Bonaccorso carnil at debian.org
Thu Jan 19 19:02:09 UTC 2017


Hi,

On Mon, Jan 09, 2017 at 04:28:40PM +0100, Thomas Goirand wrote:
> there was a security hole fixed in python-pysaml2, which allowed XML
> External Entity attacks:
> https://github.com/rohe/pysaml2/pull/379
> https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b

Apparently there was some confusion. To be clear, the above commit now
after re-clarification from MITRE is CVE-2016-10149[1], which means
the initially assigned CVE for the XXE vulnerability in pysaml2 is
still unfixed. Will open another bug for it. See the comments in the
references oss-security post for details.

 [1] https://marc.info/?l=oss-security&m=148484731923389&w=2

Regards,
Salvatore



More information about the Openstack-devel mailing list