- Issued:
- 2017-04-12
- Updated:
- 2017-04-12
RHSA-2017:0938 - Security Advisory
Synopsis
Moderate: python-defusedxml and python-pysaml2 security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for python-defusedxml and python-pysaml2 is now available for Red Hat OpenStack Platform 10.0 (Newton).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The defusedxml package contains several Python-only updates for security vulnerabilities in Python's XML libraries. Defusedxml functions and classes can be used instead of the originals to protect against entity-expansion and DTD-retrieval issues.
PySAML2 is the python implementation of SAML Version 2, containing all the functionality for building a SAML2 service provider or an identity provider, to be used in a WSGI environment.
Security Fix(es):
- An XML entity expansion vulnerability was found in python-pysaml2. A remote attacker could send a crafted request which would cause denial of service through resource exhaustion. (CVE-2016-10149)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat OpenStack 10 x86_64
Fixes
- BZ - 1415710 - CVE-2016-10149 python-pysaml2: Entity expansion issue
CVEs
Red Hat OpenStack 10
SRPM | |
---|---|
python-defusedxml-0.5.0-1.el7ost.src.rpm | SHA-256: 675f5c0b6a1a62e1fc2fd95b84492f7b5f5715f6bbd8732fb5859fa1fd19c5ac |
python-pysaml2-3.0.2-3.el7ost.src.rpm | SHA-256: 00d5894488db5e846dd5962329608b4cd137d6e38e2ab932b97c34bb8e32bebb |
x86_64 | |
python-defusedxml-0.5.0-1.el7ost.noarch.rpm | SHA-256: 89bf50b32b14a36034c95e5388db899f645104def3cd6f6d5b0cba31048a1c9f |
python-pysaml2-3.0.2-3.el7ost.noarch.rpm | SHA-256: f7ab3654f237f2bd335dca64c20314117dd5da17237ccfe12c131b7eee0dad90 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.