Your message dated Thu, 08 Aug 2013 15:18:29 +0000
with message-id <[email protected]>
and subject line Bug#719118: fixed in cinder 2013.1.2-4
has caused the Debian Bug report #719118,
regarding CVE-2013-4202: DoS using XML entities in extensions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
719118: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=719118
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cinder
Version: 2013.1.2-3
Severity: important
Tags: security patch
Grant Murphy from Red Hat reported that vulnerabilities in XML request parsers
were not fully patched in OSSA 2013-004. By leveraging XML entity expansion in
specific extensions, an unauthenticated attacker may still consume excessive
resources on the Nova or Cinder API servers, resulting in a denial of service
and potentially a crash. Only Nova setups making use of the security group
extension in Grizzly are affected. Only Cinder setups making use of the
backups or volume transfer API extension in Grizzly are affected.
I'll upload the fix soon.
Thomas Goirand (zigo)
Description: CVE-2013-4202 for DoS using XML entities in extensions
Grant Murphy from Red Hat reported that vulnerabilities in XML request parsers
were not fully patched in OSSA 2013-004. By leveraging XML entity expansion in
specific extensions, an unauthenticated attacker may still consume excessive
resources on the Nova or Cinder API servers, resulting in a denial of service
and potentially a crash. Only Nova setups making use of the security group
extension in Grizzly are affected. Only Cinder setups making use of the
backups or volume transfer API extension in Grizzly are affected.
Author: Grant Murphy (Red Hat)
Origin: upstream, <url-missing>
Bug-Debian: http://bugs.debian.org/<bugnumber>
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
Last-Update: 2013-08-07
--- cinder-2013.1.2.orig/cinder/api/contrib/backups.py
+++ cinder-2013.1.2/cinder/api/contrib/backups.py
@@ -17,7 +17,6 @@
import webob
from webob import exc
-from xml.dom import minidom
from cinder.api import common
from cinder.api import extensions
@@ -28,6 +27,7 @@ from cinder import backup as backupAPI
from cinder import exception
from cinder import flags
from cinder.openstack.common import log as logging
+from cinder import utils
FLAGS = flags.FLAGS
LOG = logging.getLogger(__name__)
@@ -82,7 +82,7 @@ class BackupRestoreTemplate(xmlutil.Temp
class CreateDeserializer(wsgi.MetadataXMLDeserializer):
def default(self, string):
- dom = minidom.parseString(string)
+ dom = utils.safe_minidom_parse_string(string)
backup = self._extract_backup(dom)
return {'body': {'backup': backup}}
@@ -101,7 +101,7 @@ class CreateDeserializer(wsgi.MetadataXM
class RestoreDeserializer(wsgi.MetadataXMLDeserializer):
def default(self, string):
- dom = minidom.parseString(string)
+ dom = utils.safe_minidom_parse_string(string)
restore = self._extract_restore(dom)
return {'body': {'restore': restore}}
--- End Message ---
--- Begin Message ---
Source: cinder
Source-Version: 2013.1.2-4
We believe that the bug you reported is fixed in the latest version of
cinder, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated cinder package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 13 Jul 2013 22:51:29 +0800
Source: cinder
Binary: python-cinder cinder-common cinder-api cinder-volume cinder-scheduler
cinder-backup
Architecture: source all
Version: 2013.1.2-4
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Description:
cinder-api - OpenStack block storage system - API server
cinder-backup - OpenStack block storage system - Backup server
cinder-common - OpenStack block storage system - common files
cinder-scheduler - OpenStack block storage system - Scheduler server
cinder-volume - OpenStack block storage system - Volume server
python-cinder - OpenStack block storage system - Python libraries
Closes: 719010 719118
Changes:
cinder (2013.1.2-4) unstable; urgency=high
.
* Adds missing depends: sqlite3.
* CVE-2013-4202: Fix DoS using XML entities in extensions (Closes: #719118).
* CVE-2013-4183: Enable zero the snapshot when delete snapshot in
LVMVolumeDriver (Closes: #719010).
Checksums-Sha1:
7027a4397e09be9986edab1c4192a97d51b84cbe 2440 cinder_2013.1.2-4.dsc
bf92fee9bdaf2edea2bd4b49ecc9dbd930797d6a 17009 cinder_2013.1.2-4.debian.tar.gz
031ecb2bcdc98609146ab9e648af01f1fe615d47 527566
python-cinder_2013.1.2-4_all.deb
735aaf2a364e82bb03565b45f6e638b09db6adc1 23748 cinder-common_2013.1.2-4_all.deb
7135b94a20735f79402076cf020bd1bd00d926c9 13930 cinder-api_2013.1.2-4_all.deb
3b98121d8e132fe282688ef30ad5e1bb94e5120d 15088 cinder-volume_2013.1.2-4_all.deb
beee267eafad6312bde4f62dff1d0d43ae09c4ac 6752
cinder-scheduler_2013.1.2-4_all.deb
d7dae1471daaf95d5fae2ae77eaf4407db102bcd 6414 cinder-backup_2013.1.2-4_all.deb
Checksums-Sha256:
e67956f17d7af7f20934fe91fca3bd0975c054eef1488b949d9b26f3ba254d1d 2440
cinder_2013.1.2-4.dsc
08ff7034e6b4f26f8901eea835ebb2b989c0a7dbe5c4166cf63390a0069d05d1 17009
cinder_2013.1.2-4.debian.tar.gz
eb82ec34a06a6f02b8402a68555422d151175c0ab750803d7874412364adaae4 527566
python-cinder_2013.1.2-4_all.deb
439667b5c5f21ba7bcc1924c24217b2502ad13e84cc8497b2098a04adb09bbe0 23748
cinder-common_2013.1.2-4_all.deb
77f1d9dfa5cb32d72879fe94d0f17cd59ba840d1dcc25fcafa9a9f1908f1dd62 13930
cinder-api_2013.1.2-4_all.deb
ac713ebb8d31370c70705484fddc6e553939b6de81c55710564af355fdeefa6b 15088
cinder-volume_2013.1.2-4_all.deb
241ddfdb8ace60d84ca7518b57d69e9e8522a334c0ad102c6470e1cce144ecb8 6752
cinder-scheduler_2013.1.2-4_all.deb
81c96c4a89c3bc3e96b50b4d5602a6821da15854dd71bb2e62abb77a20e1f82f 6414
cinder-backup_2013.1.2-4_all.deb
Files:
ed17c85037edf81d0c3aee1f005b5219 2440 net extra cinder_2013.1.2-4.dsc
db7eabc97dafaa8c3fd5f1690661ea2f 17009 net extra
cinder_2013.1.2-4.debian.tar.gz
28f7c513b9c057d031844181e9573bfb 527566 python extra
python-cinder_2013.1.2-4_all.deb
46566821360c7f62984bb61997d76662 23748 net extra
cinder-common_2013.1.2-4_all.deb
e8c440245936c41fd9f4ba3a76769cee 13930 net extra cinder-api_2013.1.2-4_all.deb
d8c5304143d49d4580c4f6e571cd300a 15088 net extra
cinder-volume_2013.1.2-4_all.deb
ac898bf5fb117c39b1b5bb1fa28bfa6b 6752 net extra
cinder-scheduler_2013.1.2-4_all.deb
6adabb4acbbe998a8e61cb884ef55aa1 6414 net extra
cinder-backup_2013.1.2-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iEYEARECAAYFAlIDrsIACgkQl4M9yZjvmknO4wCffASj/gfOOHlcCarHgK4+Nap8
4HsAn211DSZL1PFcKsGP2KX/CNGWAMeC
=YugC
-----END PGP SIGNATURE-----
--- End Message ---
