Debian Bug report logs -
#1034182
owslib: CVE-2023-27476
Reported by: Moritz Mühlenhoff <jmm@inutil.org>
Date: Mon, 10 Apr 2023 17:42:04 UTC
Severity: grave
Tags: security, upstream
Fixed in versions owslib/0.29.0-1~exp1, owslib/0.28.1-1~exp1
Done: Sebastiaan Couwenberg <sebastic@xs4all.nl>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
:
Bug#1034182
; Package src:owslib
.
(Mon, 10 Apr 2023 17:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
.
(Mon, 10 Apr 2023 17:42:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: owslib
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for owslib.
CVE-2023-27476[0]:
| OWSLib is a Python package for client programming with Open Geospatial
| Consortium (OGC) web service interface standards, and their related
| content models. OWSLib's XML parser (which supports both `lxml` and
| `xml.etree`) does not disable entity resolution, and could lead to
| arbitrary file reads from an attacker-controlled XML payload. This
| affects all XML parsing in the codebase. This issue has been addressed
| in version 0.28.1. All users are advised to upgrade. The only known
| workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc`
| for details.
https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-27476
https://www.cve.org/CVERecord?id=CVE-2023-27476
Please adjust the affected versions in the BTS as needed.
Reply sent
to Sebastiaan Couwenberg <sebastic@xs4all.nl>
:
You have taken responsibility.
(Mon, 10 Apr 2023 18:03:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Mon, 10 Apr 2023 18:03:03 GMT) (full text, mbox, link).
Message #10 received at 1034182-done@bugs.debian.org (full text, mbox, reply):
fixed 1034182 owslib/0.29.0-1~exp1
thanks
On 4/10/23 19:39, Moritz Mühlenhoff wrote:
> https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2023-27476
> https://www.cve.org/CVERecord?id=CVE-2023-27476
>
> Please adjust the affected versions in the BTS as needed.
owslib (0.29.0-1~exp1) was uploaded to experimental this morning.
I don't know about the feasibility of backporting the recent changes to
bookworm or bullseye.
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
Marked as fixed in versions owslib/0.29.0-1~exp1.
Request was from Bas Couwenberg <sebastic@debian.org>
to control@bugs.debian.org
.
(Mon, 10 Apr 2023 18:09:05 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 10 Apr 2023 18:54:14 GMT) (full text, mbox, link).
Marked as fixed in versions owslib/0.28.1-1~exp1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 10 Apr 2023 19:09:02 GMT) (full text, mbox, link).
Message sent on
to Moritz Mühlenhoff <jmm@inutil.org>
:
Bug#1034182.
(Mon, 10 Apr 2023 19:09:04 GMT) (full text, mbox, link).
Message #19 received at 1034182-submitter@bugs.debian.org (full text, mbox, reply):
# already fixed in 0.28.1 upstream, found 1034182 0.27.2-2
close 1034182 0.28.1-1~exp1
thanks
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Apr 11 13:11:34 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.