oss-sec mailing list archives
REJECT CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 19 Feb 2013 11:41:37 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - From Thierry Carrez: ==== After discussion with the Python security team and Kurt, we'll use the following common CVEs: CVE-2013-1664 Unrestricted entity expansion induces DoS vulnerabilities in Python XML libraries (XML bomb) ^ affects Keystone, Cinder, Nova CVE-2013-1665 External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities ^ affects Keystone The vulnerabilities are actually in those Python libraries, they are just being worked around in OpenStack patches. The description will be updated to clarify this (see below). ==== As you can see from the advisories: http://seclists.org/oss-sec/2013/q1/338 CVE: CVE-2013-1664, CVE-2013-1665 They were correctly referenced in the OpenStack advisories, however the CVE's did get used elsewhere: http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html CVE-2013-0278 OpenStack Keystone CVE-2013-0279 Cinder CVE-2013-0280 Nova So please REJECT CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280 and use CVE-2013-1664, CVE-2013-1665 as appropriate instead to identify these issues. Sorry for the confusion. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRI8dgAAoJEBYNRVNeJnmTTMIP/18XTcCcIcl20hXe00Fwav+2 QPta6YzTikKc4dKlA40+3HwCX1uNwfC5CwndJVbLHDvsf8iC1cCOeFqeMIfmvPNW +NSOOpAfceNAwpoSskvjQlsaNhp8oBhjNLQinsAEIYEwtxxfKzKUrejX5S8OG52n +12WH4k4mn4SCkLL3A34hwzmNUHXTE0sl9/OC7+T66lsfMuWUAVzrZrw1g1J+hb0 kfIPaSKeyCi/ycKCtDTQEFD6JevK43mmuyYkPvG2wwLNYFvnWsHwWfaN4Bo7ax1L fPhfHhmgAG5Imnp8m57Ne4ZXzpaPuPxvGUfWqPYSAbtHKDNRX5qOoamcyQQDlR1e 6qjc4ia8EtPwadV1p4Qu7KxqKF2N8I4xbaWmaFEeULMJtKUpQhRZCNolJf0yd6Qu 8pakJbz9m8pyj49IGBqeX2odJ3VfkPnR9Ct4VuDD+QT7SqOCCYuR992h1naQhTTz QP6ItgeWMR6vhGw/QTU2Ersg99Gqv8200hIVpvNNV9qq8Fb2R7F1MaBn0C8Yc9CA ndjEVnjwy9ifnByeiIDnhRB5MHP4M1ziXyF2zdxaHHTVyDqd+NK/uzxYOB7Wx3Am zI/2zoPxHattfPEVHs7GGsdOTS/LwNVNiO++yhJtnCECY5fbIVCe/YYl3s9EllSB uaoA++URDNHIsKXCd4if =3Edi -----END PGP SIGNATURE-----
Current thread:
- REJECT CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280 Kurt Seifried (Feb 19)