subject:"\[openstack\-dev\] \[Security\] XML Attacks and DefusedXML on Global Requirements"

Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements

2016-09-28 Thread Charles Neill

lt;openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements There is a private security bug about it right now too. No, not all XML libraries are immune now. On Tue, Sep 27, 2016 at 11:36

Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements

2016-09-27 Thread Jeremy Stanley

On 2016-09-27 11:45:14 -0700 (-0700), Travis McPeak wrote: > There is a private security bug about it right now too. No, not all XML > libraries are immune now. https://launchpad.net/bugs/1625402 which I've just now declassified. -- Jeremy Stanley signature.asc Description: Digital signature

Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements

2016-09-27 Thread Travis McPeak

There is a private security bug about it right now too. No, not all XML libraries are immune now. On Tue, Sep 27, 2016 at 11:36 AM, Dave Walker wrote: > > > On 27 September 2016 at 19:19, Sean Dague wrote: > >> On 09/27/2016 01:24 PM, Travis McPeak wrote: >>

Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements

2016-09-27 Thread Dave Walker

On 27 September 2016 at 19:19, Sean Dague wrote: > On 09/27/2016 01:24 PM, Travis McPeak wrote: > > There are several attacks (https://pypi.python.org/pypi/defusedxml#id3) > > that can be performed when XML is parsed from untrusted input. > > DefusedXML offers safe alternatives

Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements

2016-09-27 Thread Sean Dague

On 09/27/2016 01:24 PM, Travis McPeak wrote: > There are several attacks (https://pypi.python.org/pypi/defusedxml#id3) > that can be performed when XML is parsed from untrusted input. > DefusedXML offers safe alternatives to XML parsing libraries but is not > currently part of global

Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements

2016-09-27 Thread Davanum Srinivas

We already debated this in https://review.openstack.org/#/c/311857/ All the lessons learned from DefusedXML was already incorporated in various python packages. You can test this theory out by using the test xml(s) in DefusedXML if you wish. Also note that there have been no changes to the

[openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements

2016-09-27 Thread Travis McPeak

There are several attacks (https://pypi.python.org/pypi/defusedxml#id3) that can be performed when XML is parsed from untrusted input. DefusedXML offers safe alternatives to XML parsing libraries but is not currently part of global requirements. I propose adding DefusedXML to global requirements

Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements

Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements

Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements

Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements

Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements

Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements

[openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements

7 matches

Site Navigation

Mail list logo

Footer information