[Openstack-devel] Bug#719118: CVE-2013-4202: DoS using XML entities in extensions

Thomas Goirand zigo at debian.org
Thu Aug 8 14:12:54 UTC 2013

Package: cinder
Version: 2013.1.2-3
Severity: important
Tags: security patch

 Grant Murphy from Red Hat reported that vulnerabilities in XML request parsers
 were not fully patched in OSSA 2013-004. By leveraging XML entity expansion in
 specific extensions, an unauthenticated attacker may still consume excessive
 resources on the Nova or Cinder API servers, resulting in a denial of service
 and potentially a crash. Only Nova setups making use of the security group
 extension in Grizzly are affected. Only Cinder setups making use of the
 backups or volume transfer API extension in Grizzly are affected.

I'll upload the fix soon.

Thomas Goirand (zigo)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2013-4202_DoS_using_XML_entities.patch
Type: text/x-diff
Size: 1980 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/openstack-devel/attachments/20130808/83309919/attachment.patch>

More information about the Openstack-devel mailing list