Debian Bug report logs -
#859135
CVE-2016-10127: XXE attack via crafted SAML XML request or response
Reported by: Antoine Beaupre <anarcat@orangeseeds.org>
Date: Thu, 30 Mar 2017 18:45:01 UTC
Severity: normal
Tags: security, upstream
Done: Thomas Goirand <zigo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#859135; Package python-pysaml2.
(Thu, 30 Mar 2017 18:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupre <anarcat@orangeseeds.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Thu, 30 Mar 2017 18:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: python-pysaml2
X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
Severity: normal
Tags: security
Hi,
the following vulnerability was published for python-pysaml2.
CVE-2016-10127[0]:
| PySAML2 allows remote attackers to conduct XML external entity (XXE)
| attacks via a crafted SAML XML request or response.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-10127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10127
Please adjust the affected versions in the BTS as needed.
[signature.asc (application/pgp-signature, inline)]
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 30 Mar 2017 19:27:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#859135; Package python-pysaml2.
(Thu, 30 Mar 2017 19:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Thu, 30 Mar 2017 19:30:03 GMT) (full text, mbox, link).
Message #12 received at 859135@bugs.debian.org (full text, mbox, reply):
On Thu, Mar 30, 2017 at 02:40:58PM -0400, Antoine Beaupre wrote:
> Package: python-pysaml2
> X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
> Severity: normal
> Tags: security
>
> Hi,
>
> the following vulnerability was published for python-pysaml2.
>
> CVE-2016-10127[0]:
> | PySAML2 allows remote attackers to conduct XML external entity (XXE)
> | attacks via a crafted SAML XML request or response.
As a side note: It can be mentioned for this issue though that a
proper fix would be appropriate in the underlying issue in
src:libxml2. Please though see the whole discussion on oss-security
around the CVE assignment for details.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#859135; Package python-pysaml2.
(Thu, 30 Mar 2017 19:39:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Thu, 30 Mar 2017 19:39:11 GMT) (full text, mbox, link).
Message #17 received at 859135@bugs.debian.org (full text, mbox, reply):
On Thu, Mar 30, 2017 at 09:27:56PM +0200, Salvatore Bonaccorso wrote:
> On Thu, Mar 30, 2017 at 02:40:58PM -0400, Antoine Beaupre wrote:
> > Package: python-pysaml2
> > X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
> > Severity: normal
> > Tags: security
> >
> > Hi,
> >
> > the following vulnerability was published for python-pysaml2.
> >
> > CVE-2016-10127[0]:
> > | PySAML2 allows remote attackers to conduct XML external entity (XXE)
> > | attacks via a crafted SAML XML request or response.
>
> As a side note: It can be mentioned for this issue though that a
> proper fix would be appropriate in the underlying issue in
> src:libxml2. Please though see the whole discussion on oss-security
> around the CVE assignment for details.
And https://bugzilla.redhat.com/show_bug.cgi?id=1411794#c12.
Salvatore
Message sent on
to Antoine Beaupre <anarcat@orangeseeds.org>:
Bug#859135.
(Mon, 20 Aug 2018 14:51:03 GMT) (full text, mbox, link).
Message #20 received at 859135-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #859135 in python-pysaml2 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/openstack-team/python/python-pysaml2/commit/d8eab845f66985ae3e014cbe8ed46f73057e598b
------------------------------------------------------------------------
* CVE-2016-10127: XXE attack via crafted SAML XML request or response.
Applied upstream fix: Fix XXE in XML parsing (Closes: #859135).
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/859135
Added tag(s) pending.
Request was from Thomas Goirand <zigo@debian.org>
to 859135-submitter@bugs.debian.org.
(Mon, 20 Aug 2018 14:51:03 GMT) (full text, mbox, link).
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Mon, 20 Aug 2018 15:54:13 GMT) (full text, mbox, link).
Notification sent
to Antoine Beaupre <anarcat@orangeseeds.org>:
Bug acknowledged by developer.
(Mon, 20 Aug 2018 15:54:13 GMT) (full text, mbox, link).
Message #27 received at 859135-close@bugs.debian.org (full text, mbox, reply):
Source: python-pysaml2
Source-Version: 4.5.0-1
We believe that the bug you reported is fixed in the latest version of
python-pysaml2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 859135@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated python-pysaml2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 20 Aug 2018 16:47:23 +0200
Source: python-pysaml2
Binary: python-pysaml2 python-pysaml2-doc python3-pysaml2
Architecture: source all
Version: 4.5.0-1
Distribution: experimental
Urgency: medium
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
python-pysaml2 - SAML Version 2 to be used in a WSGI environment - Python 2.x
python-pysaml2-doc - SAML Version 2 to be used in a WSGI environment - doc
python3-pysaml2 - SAML Version 2 to be used in a WSGI environment - Python 3.x
Closes: 857848 859135 882012 886423
Changes:
python-pysaml2 (4.5.0-1) experimental; urgency=medium
.
[ Ondřej Nový ]
* d/control: Use team+openstack@tracker.debian.org as maintainer
.
[ Thomas Goirand ]
* New upstream release. (Closes: #857848, #882012, #886423, #859135).
* Refreshed/rebased all patches.
* Added python{3,}-defusedxml as (build-)depends.
* Add python{3,}-future as (buid-)depends.
Checksums-Sha1:
38649a71bf118dbfe74a6825863346a9b214ce9b 2898 python-pysaml2_4.5.0-1.dsc
37d0cb194b322f858836282130ddea2e7fd352de 2694552 python-pysaml2_4.5.0.orig.tar.xz
b2bafa6ca0ad6a4a9c0087ce1281be0f905aa5f3 9416 python-pysaml2_4.5.0-1.debian.tar.xz
0c60953fc8be4caa8bee761141ba3c8c541a134c 47768 python-pysaml2-doc_4.5.0-1_all.deb
74dfafdcc4d2cf57668d5b1d37b3cdf60425424e 201040 python-pysaml2_4.5.0-1_all.deb
f834baec9801a125bbe984086454e88d1d5ae190 12114 python-pysaml2_4.5.0-1_amd64.buildinfo
a49e103fb1e58409e612884b765b9b3f84f88706 201140 python3-pysaml2_4.5.0-1_all.deb
Checksums-Sha256:
b5645fdf88ec7d889409a6304eeeed5969835fac219ee1936368b143c69b55dc 2898 python-pysaml2_4.5.0-1.dsc
3e1a807fc82998883d8648624fabcda57a446a198e297c36a14e7969c4c2ddc1 2694552 python-pysaml2_4.5.0.orig.tar.xz
986b06d3b8df37dde68cb52eb4945fedde5b34c3c4138bc38fe0f106f3b686a0 9416 python-pysaml2_4.5.0-1.debian.tar.xz
694199b6f72128d095849b1fbc7d49ec43908ccbefa2ffd0bda7b052e1a42067 47768 python-pysaml2-doc_4.5.0-1_all.deb
c893411710c41a7ea0692093423cbabd1c51e4d1a8408c3af479b79834e9b95b 201040 python-pysaml2_4.5.0-1_all.deb
ad747746ca6f97f0fde306543f7ec6c511df11a6711f24e0a246a86782c6ea24 12114 python-pysaml2_4.5.0-1_amd64.buildinfo
8841ab76326105c20272c0e1fe62216c50b4069782d228996e239e987cca369e 201140 python3-pysaml2_4.5.0-1_all.deb
Files:
2a79d3b41d341526a2e80c0bd36efff4 2898 python optional python-pysaml2_4.5.0-1.dsc
87b88150b7507cce0d39c138aa09a31f 2694552 python optional python-pysaml2_4.5.0.orig.tar.xz
016cdf9f9699fd5248f445f7e9602ed4 9416 python optional python-pysaml2_4.5.0-1.debian.tar.xz
9568f9111e77ca2f22d90c0f04e88549 47768 doc optional python-pysaml2-doc_4.5.0-1_all.deb
4ef48b739d054b23f4b44778c9bd260e 201040 python optional python-pysaml2_4.5.0-1_all.deb
76b614f7695fcf731bf366e6c019ce51 12114 python optional python-pysaml2_4.5.0-1_amd64.buildinfo
86c95965f7e1bcd50f6e536553805ef4 201140 python optional python3-pysaml2_4.5.0-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlt623wACgkQq1PlA1ho
d6b5pA/9Gg5kUchWQlEqOljKs9moH1VexDjtwE2Zeq3Pz/IXSukD9OU165COTv8H
HfoL3ywpskT+IiurHWyijT5Yk3o017t8wuVnZ6hwEh6Gs+/Wa269162KegcwEXow
LUXhsmP0fDfIhe2zLg5uMZMR+9Nz6xYKKD/aPMhtGi1SIT+n4xwZKmhIgUDAIU6G
zkfoNam+5nUQnuTxIU3THqtGSuXTLtEJk6QoQgUckaD8myT3KQN+5XLFWog8MaAK
RKF6sE+am1taeZhqJJyUyxaJC4yL4kyBI4zOFC/hI4rGSay6Pzup7bdZ0L8XWimy
KD1VK67VMFR2cVDc1Js3QI9LLhcySzOtVTQFGv1xp5YC0xDweoIxwmtY46eGZH/P
3dWht0dGvqYZ0omQ80hY3ZcDpNq3AiZRUVOUEWGU4C5USrhxiy+P5upH6c3CIDMg
9P45s+oz5cZZs5/BFyGFEjLxKWgMeduqtVYZF6g8rhRARyfFRjaiafugnr+J9sFV
OAAoy7eEjIeVwm3P2S2PmlIifFsfQ3A0RLmrCe62coYZblufMoynZ473cz7mz5G7
KbFbftZ+AqDH/9bXP2MxpZNHaAVkMdFWChTKPwrR/UaNE/zYgsQYYl12fp01IF42
avFxlUlHbVsmTPh/ZWkCbyyjveFyAm/YuEZbpLkc2to4OayxZA4=
=JhFR
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 18 Sep 2018 07:27:21 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 22 Feb 2019 21:45:03 GMT) (full text, mbox, link).
No longer marked as fixed in versions python-pysaml2/4.5.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 22 Feb 2019 21:45:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>:
Bug#859135; Package python-pysaml2.
(Fri, 22 Feb 2019 21:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenStack <team+openstack@tracker.debian.org>.
(Fri, 22 Feb 2019 21:51:02 GMT) (full text, mbox, link).
Message #38 received at 859135@bugs.debian.org (full text, mbox, reply):
The CVE and fix association here was wrong way around. CVE-2016-10127
is yet still unresolved and as explained in the references that would
require a prerequisite fix in libxml2 first before fixable in
python-pysaml2.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 23 Mar 2019 07:26:48 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:03:40 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon