python-pysaml2: CVE-2016-10149

Debian Bug report logs - #850716
python-pysaml2: CVE-2016-10149

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: XML External Entity attack

Date: Mon, 09 Jan 2017 16:28:40 +0100

Source: python-pysaml2
Severity: serious
Tags: security patch

As per report from user:

-------- Forwarded Message --------
Subject: python-pysaml2 XEE vulnerability
Date: Mon, 9 Jan 2017 14:50:41 +0100
From: Florian Best <best@univention.de>
Organization: Univention GmbH
To: zigo@debian.org
CC: openstack-devel@lists.alioth.debian.org

Dear debian python-pysaml2 maintainers,

there was a security hole fixed in python-pysaml2, which allowed XML
External Entity attacks:
https://github.com/rohe/pysaml2/pull/379
https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b

Could you please release a security update?

Best regards,
Florian

Message #16 received at 850716-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 850716-close@bugs.debian.org

Subject: Bug#850716: fixed in python-pysaml2 3.0.0-5

Date: Mon, 09 Jan 2017 21:18:47 +0000

Source: python-pysaml2
Source-Version: 3.0.0-5

We believe that the bug you reported is fixed in the latest version of
python-pysaml2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 850716@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated python-pysaml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 09 Jan 2017 16:28:55 +0100
Source: python-pysaml2
Binary: python-pysaml2 python3-pysaml2 python-pysaml2-doc
Architecture: source all
Version: 3.0.0-5
Distribution: unstable
Urgency: medium
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 python-pysaml2 - SAML Version 2 to be used in a WSGI environment - Python 2.x
 python-pysaml2-doc - SAML Version 2 to be used in a WSGI environment - doc
 python3-pysaml2 - SAML Version 2 to be used in a WSGI environment - Python 3.x
Closes: 850716
Changes:
 python-pysaml2 (3.0.0-5) unstable; urgency=medium
 .
   [ Ondřej Nový ]
   * Bumped debhelper compat version to 10
 .
   [ Thomas Goirand ]
   * Add upstream patch for XML External Entity attack (Closes: #850716).
Checksums-Sha1:
 26ddbadcba3e2f25dfb6ea80f407e324b58f2172 2819 python-pysaml2_3.0.0-5.dsc
 3b55888eeb75408b72e2765195a6b8f0d430ec1f 6820 python-pysaml2_3.0.0-5.debian.tar.xz
 e200a13ef2d6e661f0d842ac4d07f2b32ce9e421 47662 python-pysaml2-doc_3.0.0-5_all.deb
 34dc5af2177f5163a2ea5a35f5e629d10e7171d3 194944 python-pysaml2_3.0.0-5_all.deb
 58c3c49d3af4e37f1654fb24022c942a790affd8 8545 python-pysaml2_3.0.0-5_amd64.buildinfo
 46eb2bea8895521820aeb601b3acdebcd43fce85 195004 python3-pysaml2_3.0.0-5_all.deb
Checksums-Sha256:
 c5e1cb13bbc0b128668a103bd0771355d2e84ef3af132dbd745f62c9b419c5c2 2819 python-pysaml2_3.0.0-5.dsc
 127eaf74e6ead92af2a526e5b3aceadff3be6124cacdbd29745726fa0e10e779 6820 python-pysaml2_3.0.0-5.debian.tar.xz
 7586bf002a940d74a65abea4076f617f9c5090bcb13e1252c541e5c23d2a7954 47662 python-pysaml2-doc_3.0.0-5_all.deb
 375da92f94f7d5390e5c7e1f389155511fe2e6c404af53769cb4b9ada0409148 194944 python-pysaml2_3.0.0-5_all.deb
 6529e2163ec3f704e237ca5441cca03b87c5af3e1ce5823850b73c58f5078443 8545 python-pysaml2_3.0.0-5_amd64.buildinfo
 03bb85bb37a5d810d8198c4fda76fb61237ec97a875f22722b38accebc77cdd3 195004 python3-pysaml2_3.0.0-5_all.deb
Files:
 5c7c052342348d46ec7280d246c697bc 2819 python optional python-pysaml2_3.0.0-5.dsc
 7b3680149b2c11f5ee9f85e8049bf416 6820 python optional python-pysaml2_3.0.0-5.debian.tar.xz
 d0e667aa5605d9d4db5914aef4b66a3c 47662 doc optional python-pysaml2-doc_3.0.0-5_all.deb
 8602ceb1c8a50bb5a2d9bd44c4d00c32 194944 python optional python-pysaml2_3.0.0-5_all.deb
 c559655b278d1541c0269080f90811d6 8545 python optional python-pysaml2_3.0.0-5_amd64.buildinfo
 beb47f23946c91e5d45f11f7f6a02d31 195004 python optional python3-pysaml2_3.0.0-5_all.deb

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAlhz99kQHHppZ29AZGVi
aWFuLm9yZwAKCRDUFq0VrGtD/lrrEACRTTtT0gpNhjL4BMbXsYaA92k/Od5Hm4v+
DxbimVdb23hvdou4kHJGtWMXistIHXZsamIzz95Fygnk03MaNBA18Rb4b8AE2qQA
flbtgOtacRLKCgrcZmZB8Dgz8FAh4vL6HCEOnEkltWlCkbc0V74d4ryXQ5476sPI
uZuFdm+Akh4mPK9Le/8TMzuCafrCe6Ury6Y8ZXFmdmP5x3a4bUw8synCtgJ8fY2i
VqwVhWyXLFodeOvEmy2rn5mnSP8Y+SXQvT+P4toN0/2o7I2WH30feNakxUK6D43H
U4KQ0lyTMufDKKheQ1DiBdTes5fTZEgJKjPCahHkuseXhpgwvF23iCjxGc/W1tPN
wMj2qXxx26mc6AhtCylrRjvRwYyrZIdoL4ayzJrfnMntKkOBBI1HIAjvaxW3B6aw
IRts5sNG+AjVUQaGSvaZcGO59ed9IPKlFjEQ/bdfcA6mR+QTW4tz6wWPsVfEijTz
oAH4WVm9TGUARPzz8FOSIrlx84AibjDazyG05vgGyzEsLHsLn1Kq1MCNTnaj79kk
g2BMMJO3/NYnXOPnjNj8cr/dTcZfHhl5tButx0D37CoCtjN1CwAztZ782MNV4dWz
nVvV8HByk8A/nZ8Gvo37vf44FZo3pdCuQkij6zBhN9tM1zsTFZZ05QklfuHSgDwe
CfMlm9rYDw==
=tP7f
-----END PGP SIGNATURE-----

Message #21 received at 850716@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Thomas Goirand <zigo@debian.org>, 850716@bugs.debian.org

Subject: Re: Bug#850716: XML External Entity attack

Date: Wed, 11 Jan 2017 06:38:13 +0100

Control: retitle -1 python-pysaml2: CVE-2016-10127: XML External Entity attack

Hi

This issue has been assigned CVE-2016-10127, cf.
http://www.openwall.com/lists/oss-security/2017/01/11/5

Regards,
Salvatore

Message #28 received at 850716-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 850716-close@bugs.debian.org

Subject: Bug#850716: fixed in python-pysaml2 2.0.0-1+deb8u1

Date: Sun, 15 Jan 2017 23:02:54 +0000

Source: python-pysaml2
Source-Version: 2.0.0-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
python-pysaml2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 850716@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated python-pysaml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 09 Jan 2017 16:54:24 +0100
Source: python-pysaml2
Binary: python-pysaml2 python-pysaml2-doc
Architecture: source all
Version: 2.0.0-1+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 python-pysaml2 - SAML Version 2 to be used in a WSGI environment - Python 2.x
 python-pysaml2-doc - SAML Version 2 to be used in a WSGI environment - doc
Closes: 850716
Changes:
 python-pysaml2 (2.0.0-1+deb8u1) jessie-security; urgency=medium
 .
   * Fix XXE issues on anything where pysaml2 parses XML directly:
     - CVE-2016-10127: backporting upstream patch (Closes: #850716).
     - add python-defusedxml as runtime depends.
     - switch debian/gbp.conf to use debian/jessie as packaging branch.
   * Add python-pymongo as (build-)depends.
Checksums-Sha1:
 0bbf1194d95c45f1fdd9c20cfb5ced27812a404a 2383 python-pysaml2_2.0.0-1+deb8u1.dsc
 f1fe1d6a295686640b147519711577b328c9d17a 2615832 python-pysaml2_2.0.0.orig.tar.xz
 fe368731d7f97ebbb0be245d1320ae52137e399c 5944 python-pysaml2_2.0.0-1+deb8u1.debian.tar.xz
 ff1a794513f23be464e3cc2f5badf82ee46a0259 176868 python-pysaml2_2.0.0-1+deb8u1_all.deb
 25b6b3d497909f8b68d300dd939b4621ae0618ea 37866 python-pysaml2-doc_2.0.0-1+deb8u1_all.deb
Checksums-Sha256:
 651009543559ba6fff0dc051bb717f69f717255a9eaa259dc57584f6dcbcee50 2383 python-pysaml2_2.0.0-1+deb8u1.dsc
 c62d179ba27d345d9159d9a3f2bddea7567973720cbf916bbd05eda3e18e935f 2615832 python-pysaml2_2.0.0.orig.tar.xz
 78209ca2e4ee6c6fd00a0c735646f668f1e5d0187d98c120c49a821ac20375c7 5944 python-pysaml2_2.0.0-1+deb8u1.debian.tar.xz
 3e85114f08d18f3c64ca2b9d6703de44c2655298c6262701665ad1790f47784a 176868 python-pysaml2_2.0.0-1+deb8u1_all.deb
 b581372519713ba817645d96acf4d633d069ffede03cec702dc7343605ff603b 37866 python-pysaml2-doc_2.0.0-1+deb8u1_all.deb
Files:
 0a21478383a7f075b00477cdf3007aa2 2383 python optional python-pysaml2_2.0.0-1+deb8u1.dsc
 ff545022ba4ba6bbfe27e020001b9eb0 2615832 python optional python-pysaml2_2.0.0.orig.tar.xz
 43077bb4c9864f93b2db54252154294f 5944 python optional python-pysaml2_2.0.0-1+deb8u1.debian.tar.xz
 efbc1b2f04f03a08ff6fa9b9ce49e912 176868 python optional python-pysaml2_2.0.0-1+deb8u1_all.deb
 80dc4fae343c8c5bf34b9b9f39083674 37866 doc optional python-pysaml2-doc_2.0.0-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYdnRoAAoJENQWrRWsa0P+1OQQAInAMrUW7KScS+RLQ5U9Z0oL
6sTmRSlZ7tcumrRtMgXW7dKguwCEKFf+vL2JEQ1LNkt7KcjwYunPfywphhaE1Qlm
YVWfXfC7A4cU3xAw12Q7FGkWhW2fSF23AlsllFrqjFJ331SvfWZ3i9PGLrzSUoE6
vT5+Pf9aL1P5srZXxRNpZpHFvWUaHOzpgO/Lk3SnZbVIrPTihdRmqSWl23J10iZQ
9hjnOx25tEAtb6dcHlPZaRaxZEnKOVWVh0GCRlkRvB41mo7ClwFnJ6S5J+DsmxpA
QufF0INkr0p4rXaFFJs7SHabV6/URTdCkBGjbcYdJAxx4bT1krM0FNnir4UcIwJ6
mpOLjOyR6+L0c5dJkCU+yAunKX4n1AklvOd/f//FauoEBPFghz5dRM29nZPo9eCD
deKCA/gdRXrFS/IzzpmP8dJ6rXfAb+4p4HnEiL8WVv3/2jxTOUDz+EZuK5nxsDPX
KSmlD9ihpVvqriQeRWsiRAiM4pp5SQHR6ftws85rVBg1FJ6Fut+YPYJDncxSYPNy
5+JKMRM9Tvf39uXGmeAdusF/ekysUgQKuxxY5GM0kwde5lm6GHUv6aL6UpHQ9IXo
JqcTOzjtzpsZa7bDc7fj09dzCsVq+blExvm2KD1sGkxrLaL2q17eAdHjv7aBbHS1
R2cVRsYLa01JLcrdZQXu
=ivso
-----END PGP SIGNATURE-----

Message #35 received at 850716@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Thomas Goirand <zigo@debian.org>, 850716@bugs.debian.org

Subject: Re: Bug#850716: XML External Entity attack

Date: Thu, 19 Jan 2017 20:02:09 +0100

Hi,

On Mon, Jan 09, 2017 at 04:28:40PM +0100, Thomas Goirand wrote:
> there was a security hole fixed in python-pysaml2, which allowed XML
> External Entity attacks:
> https://github.com/rohe/pysaml2/pull/379
> https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b

Apparently there was some confusion. To be clear, the above commit now
after re-clarification from MITRE is CVE-2016-10149[1], which means
the initially assigned CVE for the XXE vulnerability in pysaml2 is
still unfixed. Will open another bug for it. See the comments in the
references oss-security post for details.

 [1] https://marc.info/?l=oss-security&m=148484731923389&w=2

Regards,
Salvatore

Message #40 received at 850716@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 850716@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>, security@debian.org

Subject: Re: [PKG-Openstack-devel] Bug#850716: XML External Entity attack

Date: Fri, 20 Jan 2017 11:02:56 +0100

On 01/19/2017 08:02 PM, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Mon, Jan 09, 2017 at 04:28:40PM +0100, Thomas Goirand wrote:
>> there was a security hole fixed in python-pysaml2, which allowed XML
>> External Entity attacks:
>> https://github.com/rohe/pysaml2/pull/379
>> https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b
> 
> Apparently there was some confusion. To be clear, the above commit now
> after re-clarification from MITRE is CVE-2016-10149[1], which means
> the initially assigned CVE for the XXE vulnerability in pysaml2 is
> still unfixed. Will open another bug for it. See the comments in the
> references oss-security post for details.
> 
>  [1] https://marc.info/?l=oss-security&m=148484731923389&w=2
> 
> Regards,
> Salvatore

Is there a new patch available?

Cheers,

Thomas Goirand (zigo)

Message #45 received at 850716@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Thomas Goirand <zigo@debian.org>, 850716@bugs.debian.org

Cc: security@debian.org

Subject: Re: Bug#850716: [PKG-Openstack-devel] Bug#850716: XML External Entity attack

Date: Fri, 20 Jan 2017 20:28:46 +0100

Hi Thomas,

On Fri, Jan 20, 2017 at 11:02:56AM +0100, Thomas Goirand wrote:
> On 01/19/2017 08:02 PM, Salvatore Bonaccorso wrote:
> > Hi,
> > 
> > On Mon, Jan 09, 2017 at 04:28:40PM +0100, Thomas Goirand wrote:
> >> there was a security hole fixed in python-pysaml2, which allowed XML
> >> External Entity attacks:
> >> https://github.com/rohe/pysaml2/pull/379
> >> https://github.com/rohe/pysaml2/commit/6e09a25d9b4b7aa7a506853210a9a14100b8bc9b
> > 
> > Apparently there was some confusion. To be clear, the above commit now
> > after re-clarification from MITRE is CVE-2016-10149[1], which means
> > the initially assigned CVE for the XXE vulnerability in pysaml2 is
> > still unfixed. Will open another bug for it. See the comments in the
> > references oss-security post for details.
> > 
> >  [1] https://marc.info/?l=oss-security&m=148484731923389&w=2
> > 
> > Regards,
> > Salvatore
> 
> Is there a new patch available?

No, TTBOMK, there is no fix yet for that.

Regards,
Salvatore

Send a report that this bug log contains spam.