Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

owslib: CVE-2023-27476

Related Vulnerabilities: CVE-2023-27476  

Source

Debian Bug report logs - #1034182
owslib: CVE-2023-27476

version graph

Package: src:owslib; Maintainer for src:owslib is Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Mon, 10 Apr 2023 17:42:04 UTC

Severity: grave

Tags: security, upstream

Fixed in versions owslib/0.29.0-1~exp1, owslib/0.28.1-1~exp1

Done: Sebastiaan Couwenberg <sebastic@xs4all.nl>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>:
Bug#1034182; Package src:owslib. (Mon, 10 Apr 2023 17:42:06 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>. (Mon, 10 Apr 2023 17:42:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: owslib: CVE-2023-27476
Date: Mon, 10 Apr 2023 19:39:44 +0200
Source: owslib
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for owslib.

CVE-2023-27476[0]:
| OWSLib is a Python package for client programming with Open Geospatial
| Consortium (OGC) web service interface standards, and their related
| content models. OWSLib's XML parser (which supports both `lxml` and
| `xml.etree`) does not disable entity resolution, and could lead to
| arbitrary file reads from an attacker-controlled XML payload. This
| affects all XML parsing in the codebase. This issue has been addressed
| in version 0.28.1. All users are advised to upgrade. The only known
| workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc`
| for details.

https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-27476
    https://www.cve.org/CVERecord?id=CVE-2023-27476

Please adjust the affected versions in the BTS as needed.

Reply sent to Sebastiaan Couwenberg <sebastic@xs4all.nl>:
You have taken responsibility. (Mon, 10 Apr 2023 18:03:03 GMT) (full text, mbox, link).

Notification sent to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Mon, 10 Apr 2023 18:03:03 GMT) (full text, mbox, link).

Message #10 received at 1034182-done@bugs.debian.org (full text, mbox, reply):

From: Sebastiaan Couwenberg <sebastic@xs4all.nl>
To: Moritz Mühlenhoff <jmm@inutil.org>, 1034182-done@bugs.debian.org
Subject: Re: Bug#1034182: owslib: CVE-2023-27476
Date: Mon, 10 Apr 2023 19:58:44 +0200
fixed 1034182 owslib/0.29.0-1~exp1
thanks

On 4/10/23 19:39, Moritz Mühlenhoff wrote:
> https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2023-27476
>      https://www.cve.org/CVERecord?id=CVE-2023-27476
> 
> Please adjust the affected versions in the BTS as needed.

owslib (0.29.0-1~exp1) was uploaded to experimental this morning.

I don't know about the feasibility of backporting the recent changes to 
bookworm or bullseye.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

Marked as fixed in versions owslib/0.29.0-1~exp1. Request was from Bas Couwenberg <sebastic@debian.org> to control@bugs.debian.org. (Mon, 10 Apr 2023 18:09:05 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 10 Apr 2023 18:54:14 GMT) (full text, mbox, link).

Marked as fixed in versions owslib/0.28.1-1~exp1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 10 Apr 2023 19:09:02 GMT) (full text, mbox, link).

Message sent on to Moritz Mühlenhoff <jmm@inutil.org>:
Bug#1034182. (Mon, 10 Apr 2023 19:09:04 GMT) (full text, mbox, link).

Message #19 received at 1034182-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 1034182-submitter@bugs.debian.org
Subject: closing 1034182
Date: Mon, 10 Apr 2023 21:07:05 +0200
# already fixed in 0.28.1 upstream, found 1034182 0.27.2-2
close 1034182 0.28.1-1~exp1
thanks

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Apr 11 13:11:34 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started