[Openstack-security] [Bug 1750843] Re: pysaml2 version in global requirements must be updated to 4.5.0
The usage of the PySAML2 library in keystone is isolated to a single
module dedicated to identity provider functionality , which would
make sense if we're dealing with SAML assertions. From what I can tell
after briefly refreshing myself with the code, is that we use the
library to generate SAML assertions based on a user's token. Instead of
authenticating for a token, a user authenticates *with* a token for a
SAML assertion they can give to a service provider (e.g. keystone-to-
>From what I can tell, and consulting with other keystone developers who
are more familiar with this area of the code, it is a POST call used for
authentication that only requires the ID of a token .
Regardless, it doesn't sound like upgrading the requirement would hurt?
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
pysaml2 version in global requirements must be updated to 4.5.0
Status in OpenStack Global Requirements:
As per security vulnerability CVE-2016-10149, XML External Entity
(XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote
attackers to read arbitrary files via a crafted SAML XML request or
response and it has a CVSS v3 Base Score of 7.5.
The above vulnerability has been fixed in version 4.5.0 as per
https://github.com/rohe/pysaml2/issues/366. The latest version of
pysaml2 (https://pypi.python.org/pypi/pysaml2/4.5.0) has this fix.
However, the global requirements has the version set to < 4.0.3
The version of pysaml2 supported for OpenStack should be updated such
that OpenStack deployments are not vulnerable to the above mentioned
pysaml2 is used by OpenStack Keystone for identity Federation. This
bug in itself is not a security vulnerability but not fixing this bug
causes OpenStack deployments to be vulnerable.
To manage notifications about this bug go to: