Your submission was sent successfully! Close

CVE-2013-1664

Published: 19 February 2013

The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.

Notes

AuthorNote
jdstrand
Keystone on 11.10 is a pre-release version and unusable with other
components such as nova and horizon
quantum will be fixed in grizzly rc1, due out the 2nd week of March
Priority

Medium

Status

Package Release Status
cinder
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

oneiric Does not exist

precise Does not exist

quantal
Released (2012.2.1-0ubuntu1.1)
upstream Pending
(2013.1~g3)
keystone
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

oneiric Ignored

precise
Released (2012.1+stable~20120824-a16a0ab9-0ubuntu2.5)
quantal
Released (2012.2.1-0ubuntu1.2)
upstream Pending
(2013.1~g3)
nova
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

oneiric
Released (2011.3-0ubuntu6.12)
precise
Released (2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.2)
quantal
Released (2012.2.1+stable-20121212-a99a802e-0ubuntu1.2)
upstream Pending
(2013.1~g3)
python-django
Launchpad, Ubuntu, Debian
hardy Ignored
(reached end-of-life)
lucid
Released (1.1.1-2ubuntu1.8)
oneiric
Released (1.3-2ubuntu1.6)
precise
Released (1.3.1-4ubuntu1.6)
quantal
Released (1.4.1-2ubuntu0.3)
upstream
Released (1.4.5-1)
Patches:
upstream: https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40 (1.4)
upstream: https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112 (1.3)

quantum
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

oneiric Does not exist

precise Not vulnerable
(code-not-present)
quantal Not vulnerable
(code-not-present)
upstream Pending
(2013.1~rc1)
Patches:


upstream: https://review.openstack.org/gitweb?p=openstack%2Fquantum.git;a=commitdiff;h=1f716e3effe1ad6eeb042a11f06a5c89498a34b8