Bug#700949: marked as done (CVE-2013-0280: Information leak and Denial of Service using XML entities)

[Debian Bug Tracking System]

Your message dated Tue, 19 Feb 2013 17:03:04 +0000
with message-id <e1u7qau-0007o1...@franck.debian.org>
and subject line Bug#700949: fixed in nova 2012.2.3-1
has caused the Debian Bug report #700949,
regarding CVE-2013-0280: Information leak and Denial of Service using XML 
entities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
700949: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700949
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: nova
Version: 2012.1.1-12
Severity: grave
Tags: security

Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart Stent
independently reported a vulnerability in the parsing of XML requests in
Keystone, Nova and Cinder. By using entities in XML requests, an
unauthenticated attacker may consume excessive resources on the Keystone, Nova
or Cinder API servers, resulting in a denial of service and potentially a
crash. Authenticated attackers may also leverage XML entities to read the
content of a local file on the Keystone API server. This only affects servers
with XML support enabled.

Adds a new utils.safe_minidom_parse_string function and updates external API
facing Nova modules to use it. This ensures we have safe defaults on our
incoming API XML parsing.

Internally safe_minidom_parse_string uses a ProtectedExpatParser class to
disable DTDs and entities from being parsed when using minidom.

Patched version is ready, upload is coming.

Thomas Goirand (zigo)

--- End Message ---

--- Begin Message ---

Source: nova
Source-Version: 2012.2.3-1

We believe that the bug you reported is fixed in the latest version of
nova, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated nova package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 03 Feb 2013 11:15:53 +0800
Source: nova
Binary: python-nova nova-common nova-compute nova-compute-lxc nova-compute-uml 
nova-compute-xen nova-compute-qemu nova-compute-kvm nova-xcp-plugins 
nova-xcp-network nova-cert nova-scheduler nova-volume nova-xvpvncproxy nova-api 
nova-network nova-objectstore nova-console nova-doc nova-api-os-volume
Architecture: source all
Version: 2012.2.3-1
Distribution: experimental
Urgency: low
Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description: 
 nova-api   - OpenStack Compute - compute API frontend
 nova-api-os-volume - OpenStack Compute - Volume API frontend
 nova-cert  - OpenStack Compute - certificate manager
 nova-common - OpenStack Compute - common files
 nova-compute - OpenStack Compute - compute node
 nova-compute-kvm - OpenStack Compute - compute node (KVM)
 nova-compute-lxc - OpenStack Compute - compute node (LXC)
 nova-compute-qemu - OpenStack Compute - compute node (QEmu)
 nova-compute-uml - OpenStack Compute - compute node (UserModeLinux)
 nova-compute-xen - OpenStack Compute - compute node (Xen)
 nova-console - OpenStack Compute - console
 nova-doc   - OpenStack Compute - documentation
 nova-network - OpenStack Compute - network manager
 nova-objectstore - OpenStack Compute - object store
 nova-scheduler - OpenStack Compute - virtual machine scheduler
 nova-volume - OpenStack Compute - storage
 nova-xcp-network - OpenStack Compute network plugin for the Xen Cloud Platform
 nova-xcp-plugins - OpenStack Compute plugin for the Xen Cloud Platform
 nova-xvpvncproxy - OpenStack Compute - XVP VNC proxy
 python-nova - OpenStack Compute - libraries
Closes: 700949
Changes: 
 nova (2012.2.3-1) experimental; urgency=low
 .
   [ Thomas Goirand ]
   * New upstream release.
   * Removed CVE-2013-0208 patch now applied upstream.
   * Removed useless dependency python-quantum (-quantumclient is enough).
   * CVE-2013-0280: Information leak and Denial of Service using XML entities
     (Closes: #700949).
 .
   [ Mehdi Abaakouk ]
   * Add build-depends on python-pastedeploy, python-migrate
Checksums-Sha1: 
 75872c7fad2327b1fca43cf6f335a199c5ec7355 3139 nova_2012.2.3-1.dsc
 55fae0ac582027f1afc0d8e0e2141939b7f12ae1 3157168 nova_2012.2.3.orig.tar.xz
 fc4540d8c29deb3654f46fb40738c0a63fb413e6 1464509 nova_2012.2.3-1.debian.tar.gz
 83450abd7f67d712b6f2165dbccb660858e7684b 2432576 python-nova_2012.2.3-1_all.deb
 5f9a585d708e1a8fb18deb0c9b20896254d82fa6 1437118 nova-common_2012.2.3-1_all.deb
 922bb1cb707161f0d07a3de64975a5af9313dcd5 1409160 
nova-compute_2012.2.3-1_all.deb
 de9c20f12b48cda5f55be5c667240b2c23d044b7 1404954 
nova-compute-lxc_2012.2.3-1_all.deb
 afbc79a0ad50a24ca345fac95ad442844a46aba2 1404972 
nova-compute-uml_2012.2.3-1_all.deb
 50ff72034823afd049f9cc7b495591c4ffa89b5d 1413850 
nova-compute-xen_2012.2.3-1_all.deb
 8c867f6b95f022dbccb21d7d615cb9ac311f6e08 1404962 
nova-compute-qemu_2012.2.3-1_all.deb
 235fc38cf52cc2861eb525855c5573b6b8d35cac 1405046 
nova-compute-kvm_2012.2.3-1_all.deb
 45cdf1c9d7ef6aab5f3b35d7bb81e1b7d89a33d6 1421364 
nova-xcp-plugins_2012.2.3-1_all.deb
 061712bcc363418b731859690caa87b46fb7cdab 1411366 
nova-xcp-network_2012.2.3-1_all.deb
 b69163a55a2d1e9a739e529e61d726b6cebc0f85 1407236 nova-cert_2012.2.3-1_all.deb
 1348b850b11d497eea17eec00b872700d29ee725 1407260 
nova-scheduler_2012.2.3-1_all.deb
 8b97948d7dd070e51ca33e0ae3c258b2cbb4dd48 1407968 nova-volume_2012.2.3-1_all.deb
 14357088ef6674623505f8670714b6db18e3a97c 1407184 
nova-xvpvncproxy_2012.2.3-1_all.deb
 b454ea24fd4abb907537eea189fbe440a57fa85d 1412974 nova-api_2012.2.3-1_all.deb
 c6723c1af11b3e17f45d7d664c7d3c582e1ad09c 1409598 
nova-network_2012.2.3-1_all.deb
 9ca0db3087e6a65e244fbb9e50168e2805ce660e 1407346 
nova-objectstore_2012.2.3-1_all.deb
 2a3acd0279f84676eacf70984b076b8784692583 1407804 
nova-console_2012.2.3-1_all.deb
 2897fcf4e3214ae70722c1e0dd969f7da3fad2a5 3516016 nova-doc_2012.2.3-1_all.deb
 1e189d5e60d6b7e0d645f2542c0534136e156032 1407126 
nova-api-os-volume_2012.2.3-1_all.deb
Checksums-Sha256: 
 31b00dcfd1706c03601ad78a55015d3a21cf5aed75cc5342003225529c6f3357 3139 
nova_2012.2.3-1.dsc
 bf770ee5dadde6b539038193d5cb60d5fbdc1350d3f61475704eb87625f5179b 3157168 
nova_2012.2.3.orig.tar.xz
 8ddb99aa4436e519c7389bbb8be163226e9a88c3e82fb95d67de895f85302914 1464509 
nova_2012.2.3-1.debian.tar.gz
 470ae7d323411086d98f6732673b34e167893cca8d3ddc5f0eead8c110a985fa 2432576 
python-nova_2012.2.3-1_all.deb
 99ce7835d2cb22c919256e6548b5d0435ddc96116e21eef634198838a3a87ff5 1437118 
nova-common_2012.2.3-1_all.deb
 36ef6798adc2c1f59fdd1e9d39387e485d692dbadd403ad7d22e062bb70520b8 1409160 
nova-compute_2012.2.3-1_all.deb
 3037edf39787791e85d7135ae2cfe2477f30e270ee9100b0b7a0394a0eaef514 1404954 
nova-compute-lxc_2012.2.3-1_all.deb
 3f6fb532fee4ce8556bef4eb27f5885cc1c555665e627a93975a3bc259992ad2 1404972 
nova-compute-uml_2012.2.3-1_all.deb
 023fd41dc1d7db083cee87ee15894faf0a70a426dc785dc34356476f652e250b 1413850 
nova-compute-xen_2012.2.3-1_all.deb
 438aa5077bb67045b48ce3ec276c68d4f6eb884cc48eddecfe92a96e44c2fae9 1404962 
nova-compute-qemu_2012.2.3-1_all.deb
 27fdbf7cae595e0124dea9798ee73fd32770125d84f4ba1ab22cf4521eb8e98e 1405046 
nova-compute-kvm_2012.2.3-1_all.deb
 7b6cfe2cb0c7935d9ddc79b8b75873fb8b9b67af7577ff10a6a173857577f5bd 1421364 
nova-xcp-plugins_2012.2.3-1_all.deb
 57c5c967b0f55a6d93ae7705f7b022d51733d4f772ff006a51fa611fc2806b3e 1411366 
nova-xcp-network_2012.2.3-1_all.deb
 e26cda6c3c3b9989b69c9d14e57153af54fdd458a6c089599554ff54e252148f 1407236 
nova-cert_2012.2.3-1_all.deb
 b3985a6d4fab96face7a19516d8a99bbf88f053dccbb22f4b3e4f248e388082b 1407260 
nova-scheduler_2012.2.3-1_all.deb
 0342017deedb2f4c369547ca133862ed103187bc79dca606a3e3a2178907e45b 1407968 
nova-volume_2012.2.3-1_all.deb
 c005a36087705ae953268d7029cf6bf1e9ddb0e9c231dcbe71a1933342ffc98d 1407184 
nova-xvpvncproxy_2012.2.3-1_all.deb
 a71b19a693a481bf8a0e1ae22b05fac2f73829a58a555810ea352fdf92a350b0 1412974 
nova-api_2012.2.3-1_all.deb
 3791d5d6c88112aca052dfc18cec079e65e405e32ffc1aa9cb87f4e0af2e93ef 1409598 
nova-network_2012.2.3-1_all.deb
 ff2910a68e035dba4a297d210d73fd84c9bdb52ad4fc4df2234ad0344a5b3780 1407346 
nova-objectstore_2012.2.3-1_all.deb
 3973ce7fd1a4561df06991e09bb7fd9dc660ff6f567e4d4bbbd6b0cd51ca8b96 1407804 
nova-console_2012.2.3-1_all.deb
 a1135d36ba82d8ddf5a93940a041cb30a2ead8fd1aa66f5678ced397bbd53e95 3516016 
nova-doc_2012.2.3-1_all.deb
 ec6324d7615b4ba63107dbd3a3eaeea0f92b8c36ac9ebe306221c06c61d58246 1407126 
nova-api-os-volume_2012.2.3-1_all.deb
Files: 
 af7968a66b93a9b745fd1647a2008509 3139 net extra nova_2012.2.3-1.dsc
 9697d82d03420c0f64182831bd636839 3157168 net extra nova_2012.2.3.orig.tar.xz
 b0822210c72296fb4480496a4db2a683 1464509 net extra 
nova_2012.2.3-1.debian.tar.gz
 5a780f752d9c2b1167bcd9871e96dad3 2432576 python extra 
python-nova_2012.2.3-1_all.deb
 4d1112a44e0f456a1bd27cfbeee4fe99 1437118 net extra 
nova-common_2012.2.3-1_all.deb
 68bef0463bac31450723800ae36fa8e8 1409160 net extra 
nova-compute_2012.2.3-1_all.deb
 d3bb5a13ab3f3c55a932eec08543fe48 1404954 net extra 
nova-compute-lxc_2012.2.3-1_all.deb
 389dff3d7c1cd4df5d5a8954b9f60cb1 1404972 net extra 
nova-compute-uml_2012.2.3-1_all.deb
 d33bbbc8c0f5cb1ab55eafbf81cc151d 1413850 net extra 
nova-compute-xen_2012.2.3-1_all.deb
 85025aeff5daae65e3a67a726f601770 1404962 net extra 
nova-compute-qemu_2012.2.3-1_all.deb
 035eebe28c046432b22fbb1fea204a1e 1405046 net extra 
nova-compute-kvm_2012.2.3-1_all.deb
 c92682f2943bd5b2cfa6366aecea529c 1421364 net extra 
nova-xcp-plugins_2012.2.3-1_all.deb
 8ca720ed1807521098de409758d06c90 1411366 net extra 
nova-xcp-network_2012.2.3-1_all.deb
 9b7e546520bcb41a1a2713cdc2ed6a1f 1407236 net extra nova-cert_2012.2.3-1_all.deb
 26d0c7f1ffc1e61f525d5b5f56301561 1407260 net extra 
nova-scheduler_2012.2.3-1_all.deb
 adcd2229e2d9ef43379a50bbd4901172 1407968 net extra 
nova-volume_2012.2.3-1_all.deb
 b72e3a2a240f6df8f569a569dc0bd708 1407184 net extra 
nova-xvpvncproxy_2012.2.3-1_all.deb
 b2383453504dc462d48c1ff1bb807e2d 1412974 net extra nova-api_2012.2.3-1_all.deb
 2509a588f0820fb28c6b41f546abe722 1409598 net extra 
nova-network_2012.2.3-1_all.deb
 5994da385ae1dd049e24e5baa2098465 1407346 net extra 
nova-objectstore_2012.2.3-1_all.deb
 4156c63d0f938581c7f4ce58e78eca5d 1407804 net extra 
nova-console_2012.2.3-1_all.deb
 c3f7236c5ee259655f6eb01bf645419f 3516016 doc extra nova-doc_2012.2.3-1_all.deb
 03e1d765e4a13fc6231b4eb30089493e 1407126 net extra 
nova-api-os-volume_2012.2.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEjrlEACgkQl4M9yZjvmkl0vQCcCPUL3cRSVNKHNdPM0hRqrUM1
fP8AniUBU7Eqj6O7m5ax1Cmql66HOiN7
=/J8j
-----END PGP SIGNATURE-----

--- End Message ---