|Summary:||dev-lang/python: XML security flaws and DoS potential (CVE-2013-1665)|
|Product:||Gentoo Security||Reporter:||Dirkjan Ochtman (RETIRED) <djc>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Dirkjan Ochtman (RETIRED) 2013-02-20 10:15:53 UTC
Comment 1 GLSAMaker/CVETool Bot 2013-04-11 16:45:39 UTC
CVE-2013-1665 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1665): OpenStack Keystone Essex and Folsom allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.
Comment 2 Chris Reffett (RETIRED) 2013-07-07 15:51:59 UTC
I'm not entirely clear here, but I think upstream's suggestion is basically "use defusedxml to guard against this"
Comment 3 Thomas Deutschmann 2017-01-21 12:10:19 UTC
I am closing this bug: CVE-2013-1665 was a generic identifier (similar to CVE-2013-1664) issued for multiple applications like Django, OpenStack Keystone Essex and Folsom. dev-python/django was handled in bug 447470. Keystone was handled in bug 458334. Essex/Folsom aren't available (anymore?) in Gentoo. This bug should have been created as a tracker bug initially. Anyways, now we have fixed all the individual applications and no longer need this bug.