Your message dated Sun, 15 Jan 2017 23:02:54 +0000 with message-id <e1cstp8-000eza...@fasolo.debian.org> and subject line Bug#850716: fixed in python-pysaml2 2.0.0-1+deb8u1 has caused the Debian Bug report #850716, regarding python-pysaml2: CVE-2016-10127: XML External Entity attack to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 850716: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850716 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: python-pysaml2 Severity: serious Tags: security patch As per report from user: -------- Forwarded Message -------- Subject: python-pysaml2 XEE vulnerability Date: Mon, 9 Jan 2017 14:50:41 +0100 From: Florian Best <b...@univention.de> Organization: Univention GmbH To: z...@debian.org CC: openstack-de...@lists.alioth.debian.org Dear debian python-pysaml2 maintainers, there was a security hole fixed in python-pysaml2, which allowed XML External Entity attacks: https://github.com/rohe/pysaml2/pull/379 https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b Could you please release a security update? Best regards, Florian
--- End Message ---
--- Begin Message ---Source: python-pysaml2 Source-Version: 2.0.0-1+deb8u1 We believe that the bug you reported is fixed in the latest version of python-pysaml2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 850...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Goirand <z...@debian.org> (supplier of updated python-pysaml2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 09 Jan 2017 16:54:24 +0100 Source: python-pysaml2 Binary: python-pysaml2 python-pysaml2-doc Architecture: source all Version: 2.0.0-1+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org> Changed-By: Thomas Goirand <z...@debian.org> Description: python-pysaml2 - SAML Version 2 to be used in a WSGI environment - Python 2.x python-pysaml2-doc - SAML Version 2 to be used in a WSGI environment - doc Closes: 850716 Changes: python-pysaml2 (2.0.0-1+deb8u1) jessie-security; urgency=medium . * Fix XXE issues on anything where pysaml2 parses XML directly: - CVE-2016-10127: backporting upstream patch (Closes: #850716). - add python-defusedxml as runtime depends. - switch debian/gbp.conf to use debian/jessie as packaging branch. * Add python-pymongo as (build-)depends. Checksums-Sha1: 0bbf1194d95c45f1fdd9c20cfb5ced27812a404a 2383 python-pysaml2_2.0.0-1+deb8u1.dsc f1fe1d6a295686640b147519711577b328c9d17a 2615832 python-pysaml2_2.0.0.orig.tar.xz fe368731d7f97ebbb0be245d1320ae52137e399c 5944 python-pysaml2_2.0.0-1+deb8u1.debian.tar.xz ff1a794513f23be464e3cc2f5badf82ee46a0259 176868 python-pysaml2_2.0.0-1+deb8u1_all.deb 25b6b3d497909f8b68d300dd939b4621ae0618ea 37866 python-pysaml2-doc_2.0.0-1+deb8u1_all.deb Checksums-Sha256: 651009543559ba6fff0dc051bb717f69f717255a9eaa259dc57584f6dcbcee50 2383 python-pysaml2_2.0.0-1+deb8u1.dsc c62d179ba27d345d9159d9a3f2bddea7567973720cbf916bbd05eda3e18e935f 2615832 python-pysaml2_2.0.0.orig.tar.xz 78209ca2e4ee6c6fd00a0c735646f668f1e5d0187d98c120c49a821ac20375c7 5944 python-pysaml2_2.0.0-1+deb8u1.debian.tar.xz 3e85114f08d18f3c64ca2b9d6703de44c2655298c6262701665ad1790f47784a 176868 python-pysaml2_2.0.0-1+deb8u1_all.deb b581372519713ba817645d96acf4d633d069ffede03cec702dc7343605ff603b 37866 python-pysaml2-doc_2.0.0-1+deb8u1_all.deb Files: 0a21478383a7f075b00477cdf3007aa2 2383 python optional python-pysaml2_2.0.0-1+deb8u1.dsc ff545022ba4ba6bbfe27e020001b9eb0 2615832 python optional python-pysaml2_2.0.0.orig.tar.xz 43077bb4c9864f93b2db54252154294f 5944 python optional python-pysaml2_2.0.0-1+deb8u1.debian.tar.xz efbc1b2f04f03a08ff6fa9b9ce49e912 176868 python optional python-pysaml2_2.0.0-1+deb8u1_all.deb 80dc4fae343c8c5bf34b9b9f39083674 37866 doc optional python-pysaml2-doc_2.0.0-1+deb8u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYdnRoAAoJENQWrRWsa0P+1OQQAInAMrUW7KScS+RLQ5U9Z0oL 6sTmRSlZ7tcumrRtMgXW7dKguwCEKFf+vL2JEQ1LNkt7KcjwYunPfywphhaE1Qlm YVWfXfC7A4cU3xAw12Q7FGkWhW2fSF23AlsllFrqjFJ331SvfWZ3i9PGLrzSUoE6 vT5+Pf9aL1P5srZXxRNpZpHFvWUaHOzpgO/Lk3SnZbVIrPTihdRmqSWl23J10iZQ 9hjnOx25tEAtb6dcHlPZaRaxZEnKOVWVh0GCRlkRvB41mo7ClwFnJ6S5J+DsmxpA QufF0INkr0p4rXaFFJs7SHabV6/URTdCkBGjbcYdJAxx4bT1krM0FNnir4UcIwJ6 mpOLjOyR6+L0c5dJkCU+yAunKX4n1AklvOd/f//FauoEBPFghz5dRM29nZPo9eCD deKCA/gdRXrFS/IzzpmP8dJ6rXfAb+4p4HnEiL8WVv3/2jxTOUDz+EZuK5nxsDPX KSmlD9ihpVvqriQeRWsiRAiM4pp5SQHR6ftws85rVBg1FJ6Fut+YPYJDncxSYPNy 5+JKMRM9Tvf39uXGmeAdusF/ekysUgQKuxxY5GM0kwde5lm6GHUv6aL6UpHQ9IXo JqcTOzjtzpsZa7bDc7fj09dzCsVq+blExvm2KD1sGkxrLaL2q17eAdHjv7aBbHS1 R2cVRsYLa01JLcrdZQXu =ivso -----END PGP SIGNATURE-----
--- End Message ---
