Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 605324 (CVE-2016-10127) - <dev-python/pysaml2-4.0.2-r1: vulnerable to XXE
Summary: <dev-python/pysaml2-4.0.2-r1: vulnerable to XXE
Status: RESOLVED FIXED
Alias: CVE-2016-10127
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/rohe/pysaml2/issue...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-11 00:09 UTC by Thomas Deutschmann
Modified: 2017-01-30 09:42 UTC (History)
0 users

See Also:
Package list:
=dev-python/pysaml2-4.0.2-r1 amd64 x86
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-01-11 00:09:52 UTC
An XML XEE discovered in dev-python/pysaml2 by Matias P. Brutti.

dev-python/pysaml2 does not sanitize SAML XML requests or responses.


Upstream issue: https://github.com/rohe/pysaml2/issues/366

Upstream patch: https://github.com/fruechel/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-01-11 00:11:09 UTC
CVE request: http://www.openwall.com/lists/oss-security/2017/01/10/6
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-01-11 03:17:32 UTC
no release with it yet, and openstack requires <pysaml2-4.0.3 to avoid the pycryptodome change.

so... I backported the patch and released 4.0.2-r1
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-01-11 03:18:53 UTC
arches, please stabilize =dev-python/pysaml2-4.0.2-r1
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-11 10:47:20 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-13 15:44:34 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-01-13 16:24:55 UTC
cleaned up, removing from cc
Comment 7 Thomas Deutschmann gentoo-dev Security 2017-01-30 02:07:58 UTC
GLSA Vote: No

Repository is clean.