[PKG-Openstack-devel] Bug#850716: Bug#850716: XML External Entity attack
Salvatore Bonaccorso
carnil at debian.org
Fri Jan 20 19:28:46 UTC 2017
Hi Thomas,
On Fri, Jan 20, 2017 at 11:02:56AM +0100, Thomas Goirand wrote:
> On 01/19/2017 08:02 PM, Salvatore Bonaccorso wrote:
> > Hi,
> >
> > On Mon, Jan 09, 2017 at 04:28:40PM +0100, Thomas Goirand wrote:
> >> there was a security hole fixed in python-pysaml2, which allowed XML
> >> External Entity attacks:
> >> https://github.com/rohe/pysaml2/pull/379
> >> https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b
> >
> > Apparently there was some confusion. To be clear, the above commit now
> > after re-clarification from MITRE is CVE-2016-10149[1], which means
> > the initially assigned CVE for the XXE vulnerability in pysaml2 is
> > still unfixed. Will open another bug for it. See the comments in the
> > references oss-security post for details.
> >
> > [1] https://marc.info/?l=oss-security&m=148484731923389&w=2
> >
> > Regards,
> > Salvatore
>
> Is there a new patch available?
No, TTBOMK, there is no fix yet for that.
Regards,
Salvatore
More information about the Openstack-devel
mailing list