Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 458432 (CVE-2013-1665)

Summary: dev-lang/python: XML security flaws and DoS potential (CVE-2013-1665)
Product: Gentoo Security Reporter: Dirkjan Ochtman (RETIRED) <djc>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.python.org/issue17239
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-04-11 16:45:39 UTC
CVE-2013-1665 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1665):
  OpenStack Keystone Essex and Folsom allows remote attackers to read
  arbitrary files via an XML external entity declaration in conjunction with
  an entity reference, aka an XML External Entity (XXE) attack.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-07 15:51:59 UTC
I'm not entirely clear here, but I think upstream's suggestion is basically "use defusedxml to guard against this"
Comment 3 Thomas Deutschmann gentoo-dev 2017-01-21 12:10:19 UTC
I am closing this bug:

CVE-2013-1665 was a generic identifier (similar to CVE-2013-1664) issued for multiple applications like Django, OpenStack Keystone Essex and Folsom.

dev-python/django was handled in bug 447470.

Keystone was handled in bug 458334.

Essex/Folsom aren't available (anymore?) in Gentoo.


This bug should have been created as a tracker bug initially. Anyways, now we have fixed all the individual applications and no longer need this bug.