This bug is missing critical details: in particular, I don't see any mention of an actual attack vector. Is the implication that these drivers are handling untrusted XML data? And from where, the devices themselves? Who is the purported attacker, and how would this be used to their advantage? If there is no clear exploit scenario, we generally triage these sorts of reports as security hardening opportunities (class D in our taxonomy): https://security.openstack.org/vmt-process.html#incident-report-taxonomy
Reports like this which are simply output from running standard inspection tools against projects' source code are generally not worth keeping private anyway, in my opinion.
This bug is missing critical details: in particular, I don't see any mention of an actual attack vector. Is the implication that these drivers are handling untrusted XML data? And from where, the devices themselves? Who is the purported attacker, and how would this be used to their advantage? If there is no clear exploit scenario, we generally triage these sorts of reports as security hardening opportunities (class D in our taxonomy): https:/ /security. openstack. org/vmt- process. html#incident- report- taxonomy
Reports like this which are simply output from running standard inspection tools against projects' source code are generally not worth keeping private anyway, in my opinion.