See also: https://pypi.python.org/pypi/defusedxml https://bugzilla.redhat.com/show_bug.cgi?id=912982 http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html
CVE-2013-1665 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1665): OpenStack Keystone Essex and Folsom allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.
I'm not entirely clear here, but I think upstream's suggestion is basically "use defusedxml to guard against this"
I am closing this bug: CVE-2013-1665 was a generic identifier (similar to CVE-2013-1664) issued for multiple applications like Django, OpenStack Keystone Essex and Folsom. dev-python/django was handled in bug 447470. Keystone was handled in bug 458334. Essex/Folsom aren't available (anymore?) in Gentoo. This bug should have been created as a tracker bug initially. Anyways, now we have fixed all the individual applications and no longer need this bug.