[Secure-testing-team] Bug#719118: CVE-2013-4202: DoS using XML entities in extensions
Thomas Goirand
zigo at debian.org
Thu Aug 8 14:12:54 UTC 2013
Package: cinder
Version: 2013.1.2-3
Severity: important
Tags: security patch
Grant Murphy from Red Hat reported that vulnerabilities in XML request parsers
were not fully patched in OSSA 2013-004. By leveraging XML entity expansion in
specific extensions, an unauthenticated attacker may still consume excessive
resources on the Nova or Cinder API servers, resulting in a denial of service
and potentially a crash. Only Nova setups making use of the security group
extension in Grizzly are affected. Only Cinder setups making use of the
backups or volume transfer API extension in Grizzly are affected.
I'll upload the fix soon.
Thomas Goirand (zigo)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2013-4202_DoS_using_XML_entities.patch
Type: text/x-diff
Size: 1980 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20130808/83309919/attachment.patch>
More information about the Secure-testing-team
mailing list