It was found that python-pysaml2 is vulnerable to an XML external entity attack. python-pysaml2 does not sanitize SAML XML requests or responses. References: http://seclists.org/oss-sec/2017/q1/50 https://bugs.debian.org/850716 Upstream bug: https://github.com/rohe/pysaml2/issues/366 Proposed patch (! actually fixes Bug 1415710): https://github.com/rohe/pysaml2/pull/379
CVE assignment: http://seclists.org/oss-sec/2017/q1/58
John, one note for OpenStack builds: https://github.com/openstack/requirements/blob/master/global-requirements.txt#L210 If you rebase to a version > 4.0.2, you *must* also merge this patch: https://github.com/rohe/pysaml2/pull/385
Note that the proposed patch requires a new package, python-defusedxml, to be added on releases which did not previously include it.
(In reply to Lon Hohberger from comment #11) > Note that the proposed patch requires a new package, python-defusedxml, to > be added on releases which did not previously include it. Well spotted Lon. It turns out this patch actually fixes the incorrect flaw. The patch referenced in comment 0 addresses bug 1415710 (CVE-2016-10149) - there is currently no proposed fix for CVE-2016-10127. There may be a partial fix for this flaw in passing resolve_entities=False to lxml *if* SAML can operate correctly without the use of entities. I say "partial" because pySAML also uses xmlsec, which presently has no such mitigation. A proper root cause fix will come from bug 1395609 (libxml2), once the patch under development there has been verified by the developers.
Based on comment 12 fix for this depends on yet unresolved libxml2 bug 1395609 and previous product BZ clones were moved to block new CVE-2016-10149 for which there is a fix.
Statement: This flaw resides in the XML Security Library (xmlsec1) and will be updated there; Red Hat OpenStack Platform is not affected.