[Bug 1713264] [NEW] [MIR] defusedxml
Launchpad Bug Tracker
1713264 at bugs.launchpad.net
Tue Aug 29 13:31:45 UTC 2017
You have been subscribed to a public bug by Leonidas S. Barbosa (leosilvab):
[Availability]
Currently in universe
[Rationale]
python-pysaml2 now depends defusedxml in order to fix CVE-2016-10149.
[Security]
Only these security histories were found but all them are already fixed.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1665
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1664
[Quality assurance]
Package has a self test that are called in build/install time, but not an autopkgtests.
No bug reports were found for this package in debian bugtracker.
No major bugs related to it in launchpad.
[Dependencies]
All the dependencies are in main (python-all, python3-all, debhelper, dh-python, python-setuptools, python3-setuptools)
[Standards compliance]
I haven't found any FHS or Debian policy violations
[Maintenance]
Ubuntu-openstack
[Background information]
Package description: XML bomb protection for Python stdlib modules
The results of an attack on a vulnerable XML library can be fairly
dramatic. With just a few hundred bytes of XML data an attacker can occupy several
gigabytes of memory within seconds. An attacker can also keep
CPUs busy for a long time with a small to medium size request.
This library allows for XML to be parsed in a manner that avoids these
pitfalls. This package contains the module for the Python 2 interpreter.
** Affects: defusedxml (Ubuntu)
Importance: Undecided
Status: New
** Tags: artful
--
[MIR] defusedxml
https://bugs.launchpad.net/bugs/1713264
You received this bug notification because you are a member of Ubuntu OpenStack, which is subscribed to the bug report.
More information about the Ubuntu-openstack-bugs
mailing list