*** This bug is a duplicate of bug 1625402 ***
https://bugs.launchpad.net/bugs/1625402
@Tristan: thanks for looking it up, I forgot all about bug 1625402.
Marking this as a duplicate as you suggested.
** This bug has been marked a duplicate of bug 1625402
Authenticated "Billion laughs" memory exhaustion / DoS vulnerability in
ovf_process.py
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1745353
Title:
xml vulnerability in ovf process
Status in Glance:
Triaged
Status in OpenStack Security Advisory:
Incomplete
Bug description:
I scanned glance with Bandit and found a potential vulnerability in
xml processing related to parsing OVF file.
Output from Bandit:
Using xml.etree.ElementTree.iterparse to parse untrusted XML data is known to
be vulnerable to XML attacks. Replace xml.etree.ElementTree.iterparse with its
defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is
called.
We should use defusedxml library, because user can pass dangerous data
through ovf file.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1745353/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
