Do we know that the users (keystone, neutron...) aren't vulnerable? >From https://pypi.python.org/pypi/defusedxml#python-xml-libraries it sure >seems like we would likely still have issues if custom implementations are >being used/created. Perhaps we should just use the defusedxml libraries until >proven otherwise (better to be safe than sorry).
On Sep 29, 2014, at 9:03 AM, Julien Danjou <jul...@danjou.info> wrote: > Hi, > > I was looking at xmlutils today, and I took a look at the history of > this file that seems to come from a CVE almost 2 years ago. > > What is surprising is that, unless I missed something, the only user of > that lib is Nova. Other projects such as Keystone or Neutron implemented > things in a different way. > > It seems that Python fixed that issue with 2 modules released on PyPI: > > https://pypi.python.org/pypi/defusedxml > https://pypi.python.org/pypi/defusedexpat > > I'm no XML expert, and I've only a shallow understanding of the issue, > but I wonder if we should put some efforts to drop xmlutils and our > custom XML fixes to used instead these 2 modules. > > Hint appreciated. > > -- > Julien Danjou > /* Free Software hacker > http://julien.danjou.info */ > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
