Hi Thomas This is to notify you about a problem in the CVEs used: There was a small unclear situation on assigning the CVEs for these issues aparently, see [1].
[1]: http://marc.info/?l=oss-security&m=136129931825949&w=2 In short: CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280 where rejected and CVE-2013-1664 and CVE-2013-1665 to be used for the respective issues. ----cut---------cut---------cut---------cut---------cut---------cut----- - From Thierry Carrez: ==== After discussion with the Python security team and Kurt, we'll use the following common CVEs: CVE-2013-1664 Unrestricted entity expansion induces DoS vulnerabilities in Python XML libraries (XML bomb) ^ affects Keystone, Cinder, Nova CVE-2013-1665 External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities ^ affects Keystone The vulnerabilities are actually in those Python libraries, they are just being worked around in OpenStack patches. The description will be updated to clarify this (see below). ==== As you can see from the advisories: http://seclists.org/oss-sec/2013/q1/338 CVE: CVE-2013-1664, CVE-2013-1665 They were correctly referenced in the OpenStack advisories, however the CVE's did get used elsewhere: http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html CVE-2013-0278 OpenStack Keystone CVE-2013-0279 Cinder CVE-2013-0280 Nova So please REJECT CVE-2013-0278, CVE-2013-0279 and CVE-2013-0280 and use CVE-2013-1664, CVE-2013-1665 as appropriate instead to identify these issues. Sorry for the confusion. ----cut---------cut---------cut---------cut---------cut---------cut----- I know you have already updated the packages, if possible could you change the CVE identifiers in the changelog in your next upload? I will try to update the security-tracker with the above information. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
