Bug#1034182: owslib: CVE-2023-27476
Moritz Mühlenhoff
jmm at inutil.org
Mon Apr 10 18:39:44 BST 2023
Source: owslib
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for owslib.
CVE-2023-27476[0]:
| OWSLib is a Python package for client programming with Open Geospatial
| Consortium (OGC) web service interface standards, and their related
| content models. OWSLib's XML parser (which supports both `lxml` and
| `xml.etree`) does not disable entity resolution, and could lead to
| arbitrary file reads from an attacker-controlled XML payload. This
| affects all XML parsing in the codebase. This issue has been addressed
| in version 0.28.1. All users are advised to upgrade. The only known
| workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc`
| for details.
https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-27476
https://www.cve.org/CVERecord?id=CVE-2023-27476
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-grass-devel
mailing list