Bug 1415710 (CVE-2016-10149)

Summary: CVE-2016-10149 python-pysaml2: Entity expansion issue
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, apevec, ayoung, chrisw, cvsbot-xmlrpc, jjoyce, jschluet, kbasil, lhh, lpeer, markmc, mburns, nkinder, rbryant, rhos-maint, sclewis, slinaber, slong, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An XML entity expansion vulnerability was found in python-pysaml2. A remote attacker could send a crafted request which would cause denial of service through resource exhaustion.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-19 04:02:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1415563, 1415564, 1415565, 1415566, 1415567, 1415568    
Bug Blocks: 1422321    

Description Andrej Nemec 2017-01-23 13:51:39 UTC 
An entity expansion vulnerability was found in python-pysaml2.

Upstream patch:

https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b

References:

http://seclists.org/oss-sec/2017/q1/140
Comment 1 Andrej Nemec 2017-01-23 13:53:36 UTC 
Created python-pysaml2 tracking bugs for this issue:

Affects: fedora-all [bug 1415563]
Comment 3 errata-xmlrpc 2017-04-12 13:52:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2017:0938 https://access.redhat.com/errata/RHSA-2017:0938
Comment 4 errata-xmlrpc 2017-04-12 13:52:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2017:0937 https://access.redhat.com/errata/RHSA-2017:0937
Comment 5 errata-xmlrpc 2017-04-12 13:53:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty)

Via RHSA-2017:0936 https://access.redhat.com/errata/RHSA-2017:0936