Bug 605324 (CVE-2016-10127)

Summary:	<dev-python/pysaml2-4.0.2-r1: vulnerable to XXE
Product:	Gentoo Security	Reporter:	Thomas Deutschmann (RETIRED) <whissi>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	Flags:	stable-bot: sanity-check+
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/rohe/pysaml2/issues/366
See Also:	https://bugs.debian.org/850716
Whiteboard:	B3 [noglsa cve]
Package list:	=dev-python/pysaml2-4.0.2-r1 amd64 x86	Runtime testing required:	---

Description Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-11 00:09:52 UTC

An XML XEE discovered in dev-python/pysaml2 by Matias P. Brutti.

dev-python/pysaml2 does not sanitize SAML XML requests or responses.


Upstream issue: https://github.com/rohe/pysaml2/issues/366

Upstream patch: https://github.com/fruechel/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-11 00:11:09 UTC

CVE request: http://www.openwall.com/lists/oss-security/2017/01/10/6

Comment 2 Matthew Thode ( prometheanfire ) archtester

2017-01-11 03:17:32 UTC

no release with it yet, and openstack requires <pysaml2-4.0.3 to avoid the pycryptodome change.

so... I backported the patch and released 4.0.2-r1

Comment 3 Matthew Thode ( prometheanfire ) archtester

2017-01-11 03:18:53 UTC

arches, please stabilize =dev-python/pysaml2-4.0.2-r1

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2017-01-11 10:47:20 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2017-01-13 15:44:34 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 6 Matthew Thode ( prometheanfire ) archtester

2017-01-13 16:24:55 UTC

cleaned up, removing from cc

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-30 02:07:58 UTC

GLSA Vote: No

Repository is clean.