[MIR] defusedxml
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
defusedxml (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Availability]
Currently in universe
[Rationale]
python-pysaml2 now depends defusedxml in order to fix CVE-2016-10149.
[Security]
Only these security histories were found but all them are already fixed.
https:/
https:/
[Quality assurance]
Package has a self test that are called in build/install time, but not an autopkgtests.
No bug reports were found for this package in debian bugtracker.
No major bugs related to it in launchpad.
[Dependencies]
All the dependencies are in main (python-all, python3-all, debhelper, dh-python, python-setuptools, python3-setuptools)
[Standards compliance]
I haven't found any FHS or Debian policy violations
[Maintenance]
Ubuntu-openstack
[Background information]
Package description: XML bomb protection for Python stdlib modules
The results of an attack on a vulnerable XML library can be fairly
dramatic. With just a few hundred bytes of XML data an attacker can occupy several
gigabytes of memory within seconds. An attacker can also keep
CPUs busy for a long time with a small to medium size request.
This library allows for XML to be parsed in a manner that avoids these
pitfalls. This package contains the module for the Python 2 interpreter.
Changed in defusedxml (Ubuntu): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in defusedxml (Ubuntu): | |
assignee: | Marc Deslauriers (mdeslaur) → Leonidas S. Barbosa (leosilvab) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in defusedxml (Ubuntu): | |
assignee: | Leonidas S. Barbosa (leosilvab) → nobody |
Changed in defusedxml (Ubuntu): | |
status: | Incomplete → New |
description: | updated |
ubuntu-openstack is now subscribed to all bugs about defusedxml.