osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1750843] [NEW] pysaml2 version in global requirements must be updated to 4.5.0


Public bug reported:

As per security vulnerability CVE-2016-10149, XML External Entity (XXE)
vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to
read arbitrary files via a crafted SAML XML request or response and it
has a CVSS v3 Base Score of 7.5.

The above vulnerability has been fixed in version 4.5.0 as per
https://github.com/rohe/pysaml2/issues/366. The latest version of
pysaml2 (https://pypi.python.org/pypi/pysaml2/4.5.0) has this fix.
However, the global requirements has the version set to < 4.0.3

https://github.com/openstack/requirements/blob/master/global-requirements.txt#L230
pysaml2>=4.0.2,<4.0.3

https://github.com/openstack/requirements/blob/master/upper-constraints.txt#L347
pysaml2===4.0.2

The version of pysaml2 supported for OpenStack should be updated such
that OpenStack deployments are not vulnerable to the above mentioned
CVE.

pysaml2 is used by OpenStack Keystone for identity Federation. This bug
in itself is not a security vulnerability but not fixing this bug causes
OpenStack deployments to be vulnerable.

** Affects: openstack-requirements
     Importance: Undecided
         Status: New


** Tags: security

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-10149

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1750843

Title:
  pysaml2 version in global requirements must be updated to 4.5.0

Status in OpenStack Global Requirements:
  New

Bug description:
  As per security vulnerability CVE-2016-10149, XML External Entity
  (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote
  attackers to read arbitrary files via a crafted SAML XML request or
  response and it has a CVSS v3 Base Score of 7.5.

  The above vulnerability has been fixed in version 4.5.0 as per
  https://github.com/rohe/pysaml2/issues/366. The latest version of
  pysaml2 (https://pypi.python.org/pypi/pysaml2/4.5.0) has this fix.
  However, the global requirements has the version set to < 4.0.3

  https://github.com/openstack/requirements/blob/master/global-requirements.txt#L230
  pysaml2>=4.0.2,<4.0.3

  https://github.com/openstack/requirements/blob/master/upper-constraints.txt#L347
  pysaml2===4.0.2

  The version of pysaml2 supported for OpenStack should be updated such
  that OpenStack deployments are not vulnerable to the above mentioned
  CVE.

  pysaml2 is used by OpenStack Keystone for identity Federation. This
  bug in itself is not a security vulnerability but not fixing this bug
  causes OpenStack deployments to be vulnerable.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openstack-requirements/+bug/1750843/+subscriptions