Your message dated Sat, 06 Apr 2013 15:32:49 +0000
with message-id <[email protected]>
and subject line Bug#700950: fixed in cinder 2012.2.3-1
has caused the Debian Bug report #700950,
regarding cinder: CVE-2013-1664 (DoS in xml entitiy parsing)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
700950: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700950
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cinder
Version: 2012.2.3-1
Severity: grave
Tags: security
Jonathan Murray from NCC Group, Joshua Harlow from Yahoo! and Stuart Stent
independently reported a vulnerability in the parsing of XML requests in
Keystone, Nova and Cinder. By using entities in XML requests, an
unauthenticated attacker may consume excessive resources on the Keystone, Nova
or Cinder API servers, resulting in a denial of service and potentially a
crash. Authenticated attackers may also leverage XML entities to read the
content of a local file on the Keystone API server. This only affects servers
with XML support enabled.
Adds a new utils.safe_minidom_parse_string function and updates external API
facing Cinder modules to use it. This ensures we have safe defaults on our
incoming API XML parsing.
Internally safe_minidom_parse_string uses a ProtectedExpatParser class to
disable DTDs and entities from being parsed when using minidom.
Patched version is ready, upload will happen after it is accepted by the
FTP masters and leaves the NEW queue.
Thomas Goirand (zigo)
--- End Message ---
--- Begin Message ---
Source: cinder
Source-Version: 2012.2.3-1
We believe that the bug you reported is fixed in the latest version of
cinder, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated cinder package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 19 Feb 2013 13:50:33 +0800
Source: cinder
Binary: python-cinder cinder-common cinder-api cinder-volume cinder-scheduler
Architecture: source all
Version: 2012.2.3-1
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Description:
cinder-api - Openstack block storage as a service - API server
cinder-common - Openstack block storage as a service - common files
cinder-scheduler - Openstack block storage as a service - Scheduler server
cinder-volume - Openstack block storage as a service - Volume server
python-cinder - Openstack block storage as a service - Python libraries
Closes: 700950
Changes:
cinder (2012.2.3-1) unstable; urgency=high
.
* New upstream release.
* CVE-2013-1664 & CVE-2013-1665: Ignore XML entities (Closes: #700950).
Checksums-Sha1:
00bd15bca7461ba3104f26094fd471210f2fc7d8 2144 cinder_2012.2.3-1.dsc
7510e0ede4b1b17821f0f07b92df5b9c54323109 2669820 cinder_2012.2.3.orig.tar.xz
fc76fec521efc31d82f83aeb708c43ece1505ef9 57289 cinder_2012.2.3-1.debian.tar.gz
7d136b5a7ed0698aba7a40c200680fdb62155bce 435716
python-cinder_2012.2.3-1_all.deb
4a7eb29c509fca74cb52679a77939b9e4f63a357 64428 cinder-common_2012.2.3-1_all.deb
bc2438377609de224cc9115093f74349b7cd0772 54806 cinder-api_2012.2.3-1_all.deb
5e6bd9a19b80b9bee9d522453d7bd521eed815c5 49318 cinder-volume_2012.2.3-1_all.deb
db2555744be635f2ec2863e1826bd1b200f41c1d 49332
cinder-scheduler_2012.2.3-1_all.deb
Checksums-Sha256:
d2f0a50cb67df657584ac7213c14b2659dc5a50d27c3a90d6bd21c0ea6f59774 2144
cinder_2012.2.3-1.dsc
245bbb15f0ce68853de51791226f748943ba50e27c17870a3af4b1db757eeea5 2669820
cinder_2012.2.3.orig.tar.xz
0479a29ba8f793cc3a4dc56cf0fc627b549ab4c370d4acc283e46e0cef86c901 57289
cinder_2012.2.3-1.debian.tar.gz
b1cb93b6b0dee6588b8ff5dc4202878604c8342a9c6be69989b9909e75d1ccb6 435716
python-cinder_2012.2.3-1_all.deb
5048920f5391567d28c7114b553f2c57a4a0505cd9dfdc87343e2a9a26e9c4ec 64428
cinder-common_2012.2.3-1_all.deb
81993d21bb37e731e4d98d2c5862bea6ce1fe2b4d3e0315420f91814d5689434 54806
cinder-api_2012.2.3-1_all.deb
42aaaf777c2efd5a6ca23b4421a82adb1fadcaed45de13962695dd6cc8ac7c62 49318
cinder-volume_2012.2.3-1_all.deb
73b90b19af856fedf5faccba303d5fab863c578f3a9994d13fed5d3ccdcc2858 49332
cinder-scheduler_2012.2.3-1_all.deb
Files:
291f8cdb76d71c26e91b2432ce36f5bb 2144 net extra cinder_2012.2.3-1.dsc
0540eb5fac62e31f738a99bb0ac98e3c 2669820 net extra cinder_2012.2.3.orig.tar.xz
2e93e30ba3ec74723f24fd734127a956 57289 net extra
cinder_2012.2.3-1.debian.tar.gz
3237b4238fb0c0a2ab417642a8b168f8 435716 python extra
python-cinder_2012.2.3-1_all.deb
54b7f9ff82baf8255c6432d9d71f049c 64428 net extra
cinder-common_2012.2.3-1_all.deb
a3335d15acd70a640bd192a3e4c4b7ee 54806 net extra cinder-api_2012.2.3-1_all.deb
3b6612553b20c812e78e1d3b1ab0ec8c 49318 net extra
cinder-volume_2012.2.3-1_all.deb
a5380996472a646f77f81458afb17ed0 49332 net extra
cinder-scheduler_2012.2.3-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlFgPQUACgkQl4M9yZjvmkm3+ACgr1dFubGd5XW8AH4p2957bloy
a7kAnRC51FaLgqguNXgq88gutBIm+ux5
=WClN
-----END PGP SIGNATURE-----
--- End Message ---