Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 458432 (CVE-2013-1665) - dev-lang/python: XML security flaws and DoS potential (CVE-2013-1665)
Summary: dev-lang/python: XML security flaws and DoS potential (CVE-2013-1665)
Status: RESOLVED FIXED
Alias: CVE-2013-1665
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://bugs.python.org/issue17239
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-20 10:15 UTC by Dirkjan Ochtman (RETIRED)
Modified: 2017-01-21 12:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-04-11 16:45:39 UTC
CVE-2013-1665 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1665):
  OpenStack Keystone Essex and Folsom allows remote attackers to read
  arbitrary files via an XML external entity declaration in conjunction with
  an entity reference, aka an XML External Entity (XXE) attack.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-07 15:51:59 UTC
I'm not entirely clear here, but I think upstream's suggestion is basically "use defusedxml to guard against this"
Comment 3 Thomas Deutschmann gentoo-dev 2017-01-21 12:10:19 UTC
I am closing this bug:

CVE-2013-1665 was a generic identifier (similar to CVE-2013-1664) issued for multiple applications like Django, OpenStack Keystone Essex and Folsom.

dev-python/django was handled in bug 447470.

Keystone was handled in bug 458334.

Essex/Folsom aren't available (anymore?) in Gentoo.


This bug should have been created as a tracker bug initially. Anyways, now we have fixed all the individual applications and no longer need this bug.