Bug#1034182: marked as done (owslib: CVE-2023-27476)

[Debian Bug Tracking System]

Your message dated Mon, 10 Apr 2023 19:58:44 +0200
with message-id <aa1aa9b1-80ec-bbc4-95d2-877ae9480...@xs4all.nl>
and subject line Re: Bug#1034182: owslib: CVE-2023-27476
has caused the Debian Bug report #1034182,
regarding owslib: CVE-2023-27476
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1034182: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034182
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: owslib
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for owslib.

CVE-2023-27476[0]:
| OWSLib is a Python package for client programming with Open Geospatial
| Consortium (OGC) web service interface standards, and their related
| content models. OWSLib's XML parser (which supports both `lxml` and
| `xml.etree`) does not disable entity resolution, and could lead to
| arbitrary file reads from an attacker-controlled XML payload. This
| affects all XML parsing in the codebase. This issue has been addressed
| in version 0.28.1. All users are advised to upgrade. The only known
| workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc`
| for details.

https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-27476
    https://www.cve.org/CVERecord?id=CVE-2023-27476

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

fixed 1034182 owslib/0.29.0-1~exp1
thanks

On 4/10/23 19:39, Moritz Mühlenhoff wrote:

https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-27476
     https://www.cve.org/CVERecord?id=CVE-2023-27476

Please adjust the affected versions in the BTS as needed.

owslib (0.29.0-1~exp1) was uploaded to experimental this morning.

I don't know about the feasibility of backporting the recent changes to bookworm or bullseye.

Kind Regards,

Bas

--
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

--- End Message ---