CVE-2013-4202: DoS using XML entities in extensions

Debian Bug report logs - #719118
CVE-2013-4202: DoS using XML entities in extensions

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2013-4202: DoS using XML entities in extensions

Date: Thu, 08 Aug 2013 16:12:54 +0200

[Message part 1 (text/plain, inline)]

Package: cinder
Version: 2013.1.2-3
Severity: important
Tags: security patch

 Grant Murphy from Red Hat reported that vulnerabilities in XML request parsers
 were not fully patched in OSSA 2013-004. By leveraging XML entity expansion in
 specific extensions, an unauthenticated attacker may still consume excessive
 resources on the Nova or Cinder API servers, resulting in a denial of service
 and potentially a crash. Only Nova setups making use of the security group
 extension in Grizzly are affected. Only Cinder setups making use of the
 backups or volume transfer API extension in Grizzly are affected.

I'll upload the fix soon.

Thomas Goirand (zigo)

[CVE-2013-4202_DoS_using_XML_entities.patch (text/x-diff, attachment)]

Message #10 received at 719118-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 719118-close@bugs.debian.org

Subject: Bug#719118: fixed in cinder 2013.1.2-4

Date: Thu, 08 Aug 2013 15:18:29 +0000

Source: cinder
Source-Version: 2013.1.2-4

We believe that the bug you reported is fixed in the latest version of
cinder, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 719118@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated cinder package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 13 Jul 2013 22:51:29 +0800
Source: cinder
Binary: python-cinder cinder-common cinder-api cinder-volume cinder-scheduler cinder-backup
Architecture: source all
Version: 2013.1.2-4
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 cinder-api - OpenStack block storage system - API server
 cinder-backup - OpenStack block storage system - Backup server
 cinder-common - OpenStack block storage system - common files
 cinder-scheduler - OpenStack block storage system - Scheduler server
 cinder-volume - OpenStack block storage system - Volume server
 python-cinder - OpenStack block storage system - Python libraries
Closes: 719010 719118
Changes: 
 cinder (2013.1.2-4) unstable; urgency=high
 .
   * Adds missing depends: sqlite3.
   * CVE-2013-4202: Fix DoS using XML entities in extensions (Closes: #719118).
   * CVE-2013-4183: Enable zero the snapshot when delete snapshot in
     LVMVolumeDriver (Closes: #719010).
Checksums-Sha1: 
 7027a4397e09be9986edab1c4192a97d51b84cbe 2440 cinder_2013.1.2-4.dsc
 bf92fee9bdaf2edea2bd4b49ecc9dbd930797d6a 17009 cinder_2013.1.2-4.debian.tar.gz
 031ecb2bcdc98609146ab9e648af01f1fe615d47 527566 python-cinder_2013.1.2-4_all.deb
 735aaf2a364e82bb03565b45f6e638b09db6adc1 23748 cinder-common_2013.1.2-4_all.deb
 7135b94a20735f79402076cf020bd1bd00d926c9 13930 cinder-api_2013.1.2-4_all.deb
 3b98121d8e132fe282688ef30ad5e1bb94e5120d 15088 cinder-volume_2013.1.2-4_all.deb
 beee267eafad6312bde4f62dff1d0d43ae09c4ac 6752 cinder-scheduler_2013.1.2-4_all.deb
 d7dae1471daaf95d5fae2ae77eaf4407db102bcd 6414 cinder-backup_2013.1.2-4_all.deb
Checksums-Sha256: 
 e67956f17d7af7f20934fe91fca3bd0975c054eef1488b949d9b26f3ba254d1d 2440 cinder_2013.1.2-4.dsc
 08ff7034e6b4f26f8901eea835ebb2b989c0a7dbe5c4166cf63390a0069d05d1 17009 cinder_2013.1.2-4.debian.tar.gz
 eb82ec34a06a6f02b8402a68555422d151175c0ab750803d7874412364adaae4 527566 python-cinder_2013.1.2-4_all.deb
 439667b5c5f21ba7bcc1924c24217b2502ad13e84cc8497b2098a04adb09bbe0 23748 cinder-common_2013.1.2-4_all.deb
 77f1d9dfa5cb32d72879fe94d0f17cd59ba840d1dcc25fcafa9a9f1908f1dd62 13930 cinder-api_2013.1.2-4_all.deb
 ac713ebb8d31370c70705484fddc6e553939b6de81c55710564af355fdeefa6b 15088 cinder-volume_2013.1.2-4_all.deb
 241ddfdb8ace60d84ca7518b57d69e9e8522a334c0ad102c6470e1cce144ecb8 6752 cinder-scheduler_2013.1.2-4_all.deb
 81c96c4a89c3bc3e96b50b4d5602a6821da15854dd71bb2e62abb77a20e1f82f 6414 cinder-backup_2013.1.2-4_all.deb
Files: 
 ed17c85037edf81d0c3aee1f005b5219 2440 net extra cinder_2013.1.2-4.dsc
 db7eabc97dafaa8c3fd5f1690661ea2f 17009 net extra cinder_2013.1.2-4.debian.tar.gz
 28f7c513b9c057d031844181e9573bfb 527566 python extra python-cinder_2013.1.2-4_all.deb
 46566821360c7f62984bb61997d76662 23748 net extra cinder-common_2013.1.2-4_all.deb
 e8c440245936c41fd9f4ba3a76769cee 13930 net extra cinder-api_2013.1.2-4_all.deb
 d8c5304143d49d4580c4f6e571cd300a 15088 net extra cinder-volume_2013.1.2-4_all.deb
 ac898bf5fb117c39b1b5bb1fa28bfa6b 6752 net extra cinder-scheduler_2013.1.2-4_all.deb
 6adabb4acbbe998a8e61cb884ef55aa1 6414 net extra cinder-backup_2013.1.2-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEARECAAYFAlIDrsIACgkQl4M9yZjvmknO4wCffASj/gfOOHlcCarHgK4+Nap8
4HsAn211DSZL1PFcKsGP2KX/CNGWAMeC
=YugC
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.