Bug 1411794 (CVE-2016-10127)
Summary: | CVE-2016-10127 python-pysaml2: Vulnerable to XML external entity attack | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aortega, apevec, apevec, ayoung, chrisw, cvsbot-xmlrpc, dmoppert, jdennis, jjoyce, jschluet, kbasil, lhh, lpeer, markmc, nkinder, rbryant, rcritten, rhos-maint, sardella, sclewis, slong, tdecacqu |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-03-30 03:59:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1395609 | ||
Bug Blocks: | 1411796 |
Description
Andrej Nemec
2017-01-10 13:54:52 UTC
CVE assignment: http://seclists.org/oss-sec/2017/q1/58 John, one note for OpenStack builds: https://github.com/openstack/requirements/blob/master/global-requirements.txt#L210 If you rebase to a version > 4.0.2, you *must* also merge this patch: https://github.com/rohe/pysaml2/pull/385 Note that the proposed patch requires a new package, python-defusedxml, to be added on releases which did not previously include it. (In reply to Lon Hohberger from comment #11) > Note that the proposed patch requires a new package, python-defusedxml, to > be added on releases which did not previously include it. Well spotted Lon. It turns out this patch actually fixes the incorrect flaw. The patch referenced in comment 0 addresses bug 1415710 (CVE-2016-10149) - there is currently no proposed fix for CVE-2016-10127. There may be a partial fix for this flaw in passing resolve_entities=False to lxml *if* SAML can operate correctly without the use of entities. I say "partial" because pySAML also uses xmlsec, which presently has no such mitigation. A proper root cause fix will come from bug 1395609 (libxml2), once the patch under development there has been verified by the developers. Based on comment 12 fix for this depends on yet unresolved libxml2 bug 1395609 and previous product BZ clones were moved to block new CVE-2016-10149 for which there is a fix. Statement: This flaw resides in the XML Security Library (xmlsec1) and will be updated there; Red Hat OpenStack Platform is not affected. |