Ubuntu
defusedxml package

[MIR] defusedxml

Bug #1713264 reported by Steve Langasek
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
defusedxml (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

[Availability]
Currently in universe

[Rationale]
python-pysaml2 now depends defusedxml in order to fix CVE-2016-10149.

[Security]
Only these security histories were found but all them are already fixed.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1665
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1664

[Quality assurance]
Package has a self test that are called in build/install time, but not an autopkgtests.
No bug reports were found for this package in debian bugtracker.
No major bugs related to it in launchpad.

[Dependencies]
All the dependencies are in main (python-all, python3-all, debhelper, dh-python, python-setuptools, python3-setuptools)

[Standards compliance]
 I haven't found any FHS or Debian policy violations

[Maintenance]
Ubuntu-openstack

[Background information]
Package description: XML bomb protection for Python stdlib modules

The results of an attack on a vulnerable XML library can be fairly
dramatic. With just a few hundred bytes of XML data an attacker can occupy several
gigabytes of memory within seconds. An attacker can also keep
CPUs busy for a long time with a small to medium size request.
This library allows for XML to be parsed in a manner that avoids these
pitfalls. This package contains the module for the Python 2 interpreter.

See original description
Tags: artful
Steve Langasek (vorlon)
Changed in defusedxml (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
Leonidas S. Barbosa (leosilvab)
Changed in defusedxml (Ubuntu):
assignee: Marc Deslauriers (mdeslaur) → Leonidas S. Barbosa (leosilvab)
Leonidas S. Barbosa (leosilvab)
description: updated
description: updated
Leonidas S. Barbosa (leosilvab)
description: updated
description: updated
description: updated
description: updated
Leonidas S. Barbosa (leosilvab)
Changed in defusedxml (Ubuntu):
assignee: Leonidas S. Barbosa (leosilvab) → nobody
Tyler Hicks (tyhicks)
Changed in defusedxml (Ubuntu):
status: Incomplete → New
Leonidas S. Barbosa (leosilvab)
description: updated
Revision history for this message
James Page (james-page) wrote :

ubuntu-openstack is now subscribed to all bugs about defusedxml.

Revision history for this message
Matthias Klose (doko) wrote :

 - the packaging looks ok
 - debian/copyright is outdated. both copyright holders mentioned
   are not show in the upstream code, and the current copyright
   holders are missing.
 - besides that the package looks ok

Changed in defusedxml (Ubuntu):
status: New → Incomplete
Revision history for this message
James Page (james-page) wrote :

Update with amended d/copyright uploaded to artful; I'll submit that back to Debian as well.

Changed in defusedxml (Ubuntu):
status: Incomplete → New
importance: Undecided → Medium
Revision history for this message
Matthias Klose (doko) wrote :

Override component to main
defusedxml 0.5.0-1ubuntu1 in artful: universe/misc -> main
python-defusedxml 0.5.0-1ubuntu1 in artful amd64: universe/python/optional/100% -> main
python-defusedxml 0.5.0-1ubuntu1 in artful arm64: universe/python/optional/100% -> main
python-defusedxml 0.5.0-1ubuntu1 in artful armhf: universe/python/optional/100% -> main
python-defusedxml 0.5.0-1ubuntu1 in artful i386: universe/python/optional/100% -> main
python-defusedxml 0.5.0-1ubuntu1 in artful ppc64el: universe/python/optional/100% -> main
python-defusedxml 0.5.0-1ubuntu1 in artful s390x: universe/python/optional/100% -> main
python3-defusedxml 0.5.0-1ubuntu1 in artful amd64: universe/python/optional/100% -> main
python3-defusedxml 0.5.0-1ubuntu1 in artful arm64: universe/python/optional/100% -> main
python3-defusedxml 0.5.0-1ubuntu1 in artful armhf: universe/python/optional/100% -> main
python3-defusedxml 0.5.0-1ubuntu1 in artful i386: universe/python/optional/100% -> main
python3-defusedxml 0.5.0-1ubuntu1 in artful ppc64el: universe/python/optional/100% -> main
python3-defusedxml 0.5.0-1ubuntu1 in artful s390x: universe/python/optional/100% -> main
13 publications overridden.

Changed in defusedxml (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.