CVE-2013-1664
Published: 19 February 2013
The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.
Notes
| Author | Note |
|---|---|
| jdstrand | Keystone on 11.10 is a pre-release version and unusable with other components such as nova and horizon quantum will be fixed in grizzly rc1, due out the 2nd week of March |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
cinder Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Released
(2012.2.1-0ubuntu1.1)
|
|
| upstream |
Pending
(2013.1~g3)
|
|
|
keystone Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| oneiric |
Ignored
|
|
| precise |
Released
(2012.1+stable~20120824-a16a0ab9-0ubuntu2.5)
|
|
| quantal |
Released
(2012.2.1-0ubuntu1.2)
|
|
| upstream |
Pending
(2013.1~g3)
|
|
|
nova Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| oneiric |
Released
(2011.3-0ubuntu6.12)
|
|
| precise |
Released
(2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.2)
|
|
| quantal |
Released
(2012.2.1+stable-20121212-a99a802e-0ubuntu1.2)
|
|
| upstream |
Pending
(2013.1~g3)
|
|
|
python-django Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
| lucid |
Released
(1.1.1-2ubuntu1.8)
|
|
| oneiric |
Released
(1.3-2ubuntu1.6)
|
|
| precise |
Released
(1.3.1-4ubuntu1.6)
|
|
| quantal |
Released
(1.4.1-2ubuntu0.3)
|
|
| upstream |
Released
(1.4.5-1)
|
|
|
Patches: upstream: https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40 upstream: https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112 |
||
|
quantum Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Not vulnerable
(code-not-present)
|
|
| quantal |
Not vulnerable
(code-not-present)
|
|
| upstream |
Pending
(2013.1~rc1)
|
|
|
Patches: upstream: https://review.openstack.org/gitweb?p=openstack%2Fquantum.git;a=commitdiff;h=1f716e3effe1ad6eeb042a11f06a5c89498a34b8 |
||
References
- https://www.djangoproject.com/weblog/2013/feb/19/security/
- https://ubuntu.com/security/notices/USN-1730-1
- https://ubuntu.com/security/notices/USN-1731-1
- https://ubuntu.com/security/notices/USN-1734-1
- https://ubuntu.com/security/notices/USN-1757-1
- https://www.cve.org/CVERecord?id=CVE-2013-1664
- NVD
- Launchpad
- Debian