Package: cinder Version: 2012.2.3-1 Severity: grave Tags: security Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart Stent independently reported a vulnerability in the parsing of XML requests in Keystone, Nova and Cinder. By using entities in XML requests, an unauthenticated attacker may consume excessive resources on the Keystone, Nova or Cinder API servers, resulting in a denial of service and potentially a crash. Authenticated attackers may also leverage XML entities to read the content of a local file on the Keystone API server. This only affects servers with XML support enabled.
Adds a new utils.safe_minidom_parse_string function and updates external API facing Cinder modules to use it. This ensures we have safe defaults on our incoming API XML parsing. Internally safe_minidom_parse_string uses a ProtectedExpatParser class to disable DTDs and entities from being parsed when using minidom. Patched version is ready, upload will happen after it is accepted by the FTP masters and leaves the NEW queue. Thomas Goirand (zigo) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
