Re: [openstack-dev] [oslo] Fate of xmlutils

2014-09-30 Thread Julien Danjou
On Mon, Sep 29 2014, Joshua Harlow wrote: Do we know that the users (keystone, neutron...) aren't vulnerable? From https://pypi.python.org/pypi/defusedxml#python-xml-libraries it sure seems like we would likely still have issues if custom implementations are being used/created. Perhaps we

Re: [openstack-dev] [oslo] Fate of xmlutils

2014-09-30 Thread Davanum Srinivas
Julien, I believe all the lessons learned from defusedxml (see the release dates) have been folded back into the different libraries. For example plain old etree.fromstring() even without any special options is ok with the specially crafted xml bombs that you can find as test cases in defusedxml

Re: [openstack-dev] [oslo] Fate of xmlutils

2014-09-30 Thread Daniel P. Berrange
On Tue, Sep 30, 2014 at 09:28:22AM +0930, Christopher Yeoh wrote: On Mon, 29 Sep 2014 18:03:20 +0200 Julien Danjou jul...@danjou.info wrote: It seems that Python fixed that issue with 2 modules released on PyPI: https://pypi.python.org/pypi/defusedxml

Re: [openstack-dev] [oslo] Fate of xmlutils

2014-09-30 Thread Julien Danjou
On Tue, Sep 30 2014, Davanum Srinivas wrote: I believe all the lessons learned from defusedxml (see the release dates) have been folded back into the different libraries. For example plain old etree.fromstring() even without any special options is ok with the specially crafted xml bombs that

Re: [openstack-dev] [oslo] Fate of xmlutils

2014-09-30 Thread Doug Hellmann
I agree, it sounds like option 2 is safe. Julien, I updated your commit message on https://review.openstack.org/#/c/125021/ to point to this thread. Write-it-down-ly, Doug On Sep 30, 2014, at 7:17 AM, Davanum Srinivas dava...@gmail.com wrote: Julien, I believe all the lessons learned from

Re: [openstack-dev] [oslo] Fate of xmlutils

2014-09-30 Thread Ben Nemec
This was also needed for Python 2.6, right? Do we have confirmation that we can drop that for Kilo? -Ben On 09/30/2014 08:28 AM, Doug Hellmann wrote: I agree, it sounds like option 2 is safe. Julien, I updated your commit message on https://review.openstack.org/#/c/125021/ to point to

Re: [openstack-dev] [oslo] Fate of xmlutils

2014-09-30 Thread Doug Hellmann
Yes, I think we are still on track to drop 2.6 support for the servers in Kilo. This wasn’t used in the client libraries, right? On Sep 30, 2014, at 10:25 AM, Ben Nemec openst...@nemebean.com wrote: This was also needed for Python 2.6, right? Do we have confirmation that we can drop that for

Re: [openstack-dev] [oslo] Fate of xmlutils

2014-09-30 Thread Julien Danjou
On Tue, Sep 30 2014, Doug Hellmann wrote: Yes, I think we are still on track to drop 2.6 support for the servers in Kilo. This wasn’t used in the client libraries, right? After a quick grep of the code I've around, it doesn't look being used by anything else than Nova itself. -- Julien

Re: [openstack-dev] [oslo] Fate of xmlutils

2014-09-29 Thread Doug Hellmann
On Sep 29, 2014, at 12:03 PM, Julien Danjou jul...@danjou.info wrote: Hi, I was looking at xmlutils today, and I took a look at the history of this file that seems to come from a CVE almost 2 years ago. What is surprising is that, unless I missed something, the only user of that lib is

Re: [openstack-dev] [oslo] Fate of xmlutils

2014-09-29 Thread Joshua Harlow
Do we know that the users (keystone, neutron...) aren't vulnerable? From https://pypi.python.org/pypi/defusedxml#python-xml-libraries it sure seems like we would likely still have issues if custom implementations are being used/created. Perhaps we should just use the defusedxml libraries until

Re: [openstack-dev] [oslo] Fate of xmlutils

2014-09-29 Thread Christopher Yeoh
On Mon, 29 Sep 2014 18:03:20 +0200 Julien Danjou jul...@danjou.info wrote: It seems that Python fixed that issue with 2 modules released on PyPI: https://pypi.python.org/pypi/defusedxml https://pypi.python.org/pypi/defusedexpat I'm no XML expert, and I've only a shallow understanding