Bug#700949: marked as done (CVE-2013-0280: Information leak and Denial of Service using XML entities)

[Debian Bug Tracking System]

Your message dated Tue, 19 Feb 2013 16:48:02 +0000
with message-id <e1u7qmm-0003sq...@franck.debian.org>
and subject line Bug#700949: fixed in nova 2012.1.1-13
has caused the Debian Bug report #700949,
regarding CVE-2013-0280: Information leak and Denial of Service using XML 
entities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
700949: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700949
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: nova
Version: 2012.1.1-12
Severity: grave
Tags: security

Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart Stent
independently reported a vulnerability in the parsing of XML requests in
Keystone, Nova and Cinder. By using entities in XML requests, an
unauthenticated attacker may consume excessive resources on the Keystone, Nova
or Cinder API servers, resulting in a denial of service and potentially a
crash. Authenticated attackers may also leverage XML entities to read the
content of a local file on the Keystone API server. This only affects servers
with XML support enabled.

Adds a new utils.safe_minidom_parse_string function and updates external API
facing Nova modules to use it. This ensures we have safe defaults on our
incoming API XML parsing.

Internally safe_minidom_parse_string uses a ProtectedExpatParser class to
disable DTDs and entities from being parsed when using minidom.

Patched version is ready, upload is coming.

Thomas Goirand (zigo)

--- End Message ---

--- Begin Message ---

Source: nova
Source-Version: 2012.1.1-13

We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated nova package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 19 Feb 2013 13:39:34 +0800
Source: nova
Binary: python-nova nova-common nova-compute nova-compute-lxc nova-compute-uml 
nova-compute-xen nova-compute-qemu nova-compute-kvm nova-scheduler nova-volume 
nova-api nova-network nova-objectstore nova-console nova-cert nova-xcp-plugins 
nova-xcp-network nova-doc nova-xvpvncproxy nova-api-metadata 
nova-api-os-compute nova-api-os-volume nova-api-ec2
Architecture: source all
Version: 2012.1.1-13
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description: 
 nova-api   - OpenStack Compute - compute API frontend
 nova-api-ec2 - OpenStack Compute - EC2 API frontend
 nova-api-metadata - OpenStack Compute - metadata API frontend
 nova-api-os-compute - OpenStack Compute - compute API frontend
 nova-api-os-volume - OpenStack Compute - Volume API frontend
 nova-cert  - OpenStack Compute - certificate manager
 nova-common - OpenStack Compute - common files
 nova-compute - OpenStack Compute - compute node
 nova-compute-kvm - OpenStack Compute - compute node (KVM)
 nova-compute-lxc - OpenStack Compute - compute node (LXC)
 nova-compute-qemu - OpenStack Compute - compute node (QEmu)
 nova-compute-uml - OpenStack Compute - compute node (UserModeLinux)
 nova-compute-xen - OpenStack Compute - compute node (Xen)
 nova-console - OpenStack Compute - console
 nova-doc   - OpenStack Compute - documentation
 nova-network - OpenStack Compute - network manager
 nova-objectstore - OpenStack Compute - object store
 nova-scheduler - OpenStack Compute - virtual machine scheduler
 nova-volume - OpenStack Compute - storage
 nova-xcp-network - OpenStack Compute network plugin for the Xen Cloud Platform
 nova-xcp-plugins - OpenStack Compute plugin for the Xen Cloud Platform
 nova-xvpvncproxy - OpenStack Compute - XVP VNC proxy
 python-nova - OpenStack Compute - libraries
Closes: 700949
Changes: 
 nova (2012.1.1-13) unstable; urgency=high
 .
   * CVE-2013-0280: Information leak and Denial of Service using XML entities
     (Closes: #700949).
Checksums-Sha1: 
 cf648a8264fb47d2ee295c93f9fc1e8f535f73f6 3073 nova_2012.1.1-13.dsc
 fc3f80883e6944350a37b2cac89fc88e1e162f08 62878 nova_2012.1.1-13.debian.tar.gz
 d7ec01e7ec08e0103f9f08b5fd309c56e7e5d14d 1778958 
python-nova_2012.1.1-13_all.deb
 f2dc7154cc0bc2f6ecbc2531f79ab8018f062d41 41160 nova-common_2012.1.1-13_all.deb
 838d06192b1155c2b344e4bc1ae19aca4b329803 17250 nova-compute_2012.1.1-13_all.deb
 9b15e9390bcb378478836c6f76cfe5472da5f5ab 12368 
nova-compute-lxc_2012.1.1-13_all.deb
 92fd74e7ab18183ffa8092398cbbeeb60d1dfe54 12386 
nova-compute-uml_2012.1.1-13_all.deb
 89202356351acfc011fa0700055261d67708248a 17034 
nova-compute-xen_2012.1.1-13_all.deb
 5073703067d6c56f2a39320c1c42a7a9deff03a3 12290 
nova-compute-qemu_2012.1.1-13_all.deb
 913e96491f7cd9f1a14f651c37fc5433c897b62d 12374 
nova-compute-kvm_2012.1.1-13_all.deb
 e5669850a02605f4908362fdf8a918ba56f5cd6b 14866 
nova-scheduler_2012.1.1-13_all.deb
 bd2d04818c31ae3db254f2d76ae51157776a61d6 15776 nova-volume_2012.1.1-13_all.deb
 1e5be90bd559895db7745c213b7e869008521610 14756 nova-api_2012.1.1-13_all.deb
 ce5ddc260ea6f67ad67a1103e81d806388e5bcdf 17688 nova-network_2012.1.1-13_all.deb
 8a35fcca9b568db539bc65e4b751155ac76d58b4 14964 
nova-objectstore_2012.1.1-13_all.deb
 f7da17686deed666a6d2d62aa3e2195c4fe9f00c 15458 nova-console_2012.1.1-13_all.deb
 1e629ddbd68d87d6cbb30385f075a70032d0e3d4 14826 nova-cert_2012.1.1-13_all.deb
 b6a53dac34481b50e6fbe0e323943a420b83c3e9 34686 
nova-xcp-plugins_2012.1.1-13_all.deb
 ac414003848360f336724ac05629b45ff71916e7 19504 
nova-xcp-network_2012.1.1-13_all.deb
 e55024e9ff5790b8c4176682c90233f9679c9c71 1714148 nova-doc_2012.1.1-13_all.deb
 7d6d4792b417ead701bd05de256de641a323c861 14756 
nova-xvpvncproxy_2012.1.1-13_all.deb
 7edf579687bad5a63c552c694aad8061670b16e0 14664 
nova-api-metadata_2012.1.1-13_all.deb
 20f2b3b2267820e215abad52494d274d92c3313b 14662 
nova-api-os-compute_2012.1.1-13_all.deb
 c9e2834a0acc39a1a6b7bf0d0ece4bad5c4810e8 14676 
nova-api-os-volume_2012.1.1-13_all.deb
 87549f89fa92e1178cddd76ec35a5746a7bc79a9 14638 nova-api-ec2_2012.1.1-13_all.deb
Checksums-Sha256: 
 4e6f4949dac420299611b2ffa5e4b2f49cd7cddc20745a6af00b51660aa9076c 3073 
nova_2012.1.1-13.dsc
 7d1258b33ef5f84275677860d978509cb2d1d0e22e5e4907a2d27891785691e0 62878 
nova_2012.1.1-13.debian.tar.gz
 284d3a50c07cfb2af3e320ee2578f4a65a755308e1e89f169540d90d473b2c28 1778958 
python-nova_2012.1.1-13_all.deb
 0d9e4be0f953ed50183c37a25521e941fdf5bdf4ad2862d017a93417f174138b 41160 
nova-common_2012.1.1-13_all.deb
 1e0552363a1a2d90e4f00014dd20834c483b726e1ea9c1b6a9f76c4bd381e46e 17250 
nova-compute_2012.1.1-13_all.deb
 bf6dc3e535146b82808e6652901aafb00872f928ef00485dc54526d7285ccf75 12368 
nova-compute-lxc_2012.1.1-13_all.deb
 8e9039cf277d876c3e12464a9954746e10897d8bbb9542abd4eefe32dc4259f8 12386 
nova-compute-uml_2012.1.1-13_all.deb
 13883c3845b41b833774e7b66ff12b2a041c3f37e3d6136bc61bdb58ba4ff1d6 17034 
nova-compute-xen_2012.1.1-13_all.deb
 55a77f1c6bc6edd858d979be0d53533ae98df1b203588e3b0666fb3cb035bcc1 12290 
nova-compute-qemu_2012.1.1-13_all.deb
 4d00b688d63cb4fa2c39ca8a204fb0ea06467565cbf171776ac128fcbedc4434 12374 
nova-compute-kvm_2012.1.1-13_all.deb
 07b3bb8b49790f34ec15330c11c04632b3d2cadd38c05b6d91ddf4d10801507a 14866 
nova-scheduler_2012.1.1-13_all.deb
 c8f6404fbd3e95aff5fadcfe4039fca3d3e847a15676300db186ef02c2b5851a 15776 
nova-volume_2012.1.1-13_all.deb
 2afba951f65eead92b33d672b240ecf344643cadc64dc4ee8f66e8376cdb4390 14756 
nova-api_2012.1.1-13_all.deb
 dee2a14aadb2b7b4780cbcd0e9764e6552bf247abb07e8656cd38f6c3965d54d 17688 
nova-network_2012.1.1-13_all.deb
 0e62441f7ac28619503ff64d83a5d8a5387704461952155e0708f9794416d554 14964 
nova-objectstore_2012.1.1-13_all.deb
 6c1ec1497d6063a562ba5e4727d68ade227c7f7b636a44482bf150ef8530d7ac 15458 
nova-console_2012.1.1-13_all.deb
 9af9679f4455d17a8dbf8de43671bd9be64af05a92e5fed003abd14194939081 14826 
nova-cert_2012.1.1-13_all.deb
 a92668c392a64bc3c110404f7024455cf8a4f258e4d4abefbcae3076a2f9af22 34686 
nova-xcp-plugins_2012.1.1-13_all.deb
 28dbd0fda6e713b4270e3880184a1d128585eb527f68af6dcce404418f855fb2 19504 
nova-xcp-network_2012.1.1-13_all.deb
 ee75432ff290da8a9de8060748bc556db32cdc4b2b5e2929e0cd776c4f7ff17b 1714148 
nova-doc_2012.1.1-13_all.deb
 df0b4c779e73213cb29d22aa6a5485a667f2aa2680e5bd47241621ea0c09ff97 14756 
nova-xvpvncproxy_2012.1.1-13_all.deb
 b193c08019b38294d99d60dd4947b3658e21ec190ea9d9d7cbf3c57bb79b5d66 14664 
nova-api-metadata_2012.1.1-13_all.deb
 c28c2f9612c1797c50fa86c451f42fa686711362a7b9443fe8436c74f68a4f2d 14662 
nova-api-os-compute_2012.1.1-13_all.deb
 0a248f894cce619ce17d57acfa72717f2bf054585cd40cca22c2ee02dd6fb55b 14676 
nova-api-os-volume_2012.1.1-13_all.deb
 7198ef095f05a42520025cf7d4895d8440ad47c21755693350aa73157b3a9319 14638 
nova-api-ec2_2012.1.1-13_all.deb
Files: 
 0b9213bdca4ac3d134f2b05803cb381d 3073 net extra nova_2012.1.1-13.dsc
 9c238f983de8cd6e39d739127c496022 62878 net extra nova_2012.1.1-13.debian.tar.gz
 19dbf79545a094013719ef29d80f72b4 1778958 python extra 
python-nova_2012.1.1-13_all.deb
 0973aa0011846a668eaa131ca306e57f 41160 net extra 
nova-common_2012.1.1-13_all.deb
 137fda2510801a529e7f9e536d62c8aa 17250 net extra 
nova-compute_2012.1.1-13_all.deb
 949ab155dd0dffb3b09670402ee4434a 12368 net extra 
nova-compute-lxc_2012.1.1-13_all.deb
 0ea8aeebc6ac4e2d253562b88ad2080a 12386 net extra 
nova-compute-uml_2012.1.1-13_all.deb
 5d7e3feebd26253c89a72740e5108a25 17034 net extra 
nova-compute-xen_2012.1.1-13_all.deb
 4191b0fec9e208dae8644bd862e8a4ef 12290 net extra 
nova-compute-qemu_2012.1.1-13_all.deb
 334db04bf2ba9f14a68a2b5bdf7f7d29 12374 net extra 
nova-compute-kvm_2012.1.1-13_all.deb
 60ae5ea851b11b39ff7cf01bcca220bf 14866 net extra 
nova-scheduler_2012.1.1-13_all.deb
 15d9a1d62399170ff2cbac63789ae0b3 15776 net extra 
nova-volume_2012.1.1-13_all.deb
 79409ab95b6fae6e05af2cb7d506618e 14756 net extra nova-api_2012.1.1-13_all.deb
 e0938590ace9d273eb697471892bf2fa 17688 net extra 
nova-network_2012.1.1-13_all.deb
 c3f91ee2edf6e7a63a0db599ddc01d01 14964 net extra 
nova-objectstore_2012.1.1-13_all.deb
 69a3a64094e134cc1603831beb688189 15458 net extra 
nova-console_2012.1.1-13_all.deb
 f601fed087c4f283b0598ef3428369df 14826 net extra nova-cert_2012.1.1-13_all.deb
 9a3123c4c6e211bdb2048da9b4589807 34686 net extra 
nova-xcp-plugins_2012.1.1-13_all.deb
 2d6eedd6b1efea3374be59fb6302c911 19504 net extra 
nova-xcp-network_2012.1.1-13_all.deb
 a2b9e448e4a76085cd35b352542e355b 1714148 doc extra nova-doc_2012.1.1-13_all.deb
 0e27297b7fde5dd9b5177dd378f02b5b 14756 net extra 
nova-xvpvncproxy_2012.1.1-13_all.deb
 09005da3ec083f0be9321cfb45d6e094 14664 net extra 
nova-api-metadata_2012.1.1-13_all.deb
 ddc34e63de3f74ee56a5ddbff710d8df 14662 net extra 
nova-api-os-compute_2012.1.1-13_all.deb
 7da097fafcda78a529df24c98d17d6fc 14676 net extra 
nova-api-os-volume_2012.1.1-13_all.deb
 ad6c35523cf1e5fe1b47c0c1a3d13603 14638 net extra 
nova-api-ec2_2012.1.1-13_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEjqegACgkQl4M9yZjvmkm5LgCfb8dShp5GCKhroOG5eyn9uANp
IjgAnjC4PrOyEDbgda0RJ0nbtpU/48Im
=nvZE
-----END PGP SIGNATURE-----

--- End Message ---