CVE-2013-1664

Publication date 19 February 2013

Last updated 24 July 2024


Ubuntu priority

The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.

Read the notes from the security team

Status

Package Ubuntu Release Status
cinder 12.10 quantal
Fixed 2012.2.1-0ubuntu1.1
12.04 LTS precise Not in release
11.10 oneiric Not in release
10.04 LTS lucid Not in release
8.04 LTS hardy Not in release
keystone 12.10 quantal
Fixed 2012.2.1-0ubuntu1.2
12.04 LTS precise
Fixed 2012.1+stable~20120824-a16a0ab9-0ubuntu2.5
11.10 oneiric Ignored
10.04 LTS lucid Not in release
8.04 LTS hardy Not in release
nova 12.10 quantal
Fixed 2012.2.1+stable-20121212-a99a802e-0ubuntu1.2
12.04 LTS precise
Fixed 2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.2
11.10 oneiric
Fixed 2011.3-0ubuntu6.12
10.04 LTS lucid Not in release
8.04 LTS hardy Not in release
python-django 12.10 quantal
Fixed 1.4.1-2ubuntu0.3
12.04 LTS precise
Fixed 1.3.1-4ubuntu1.6
11.10 oneiric
Fixed 1.3-2ubuntu1.6
10.04 LTS lucid
Fixed 1.1.1-2ubuntu1.8
8.04 LTS hardy Ignored end of life
quantum 12.10 quantal
Not affected
12.04 LTS precise
Not affected
11.10 oneiric Not in release
10.04 LTS lucid Not in release
8.04 LTS hardy Not in release

Notes


jdstrand

Keystone on 11.10 is a pre-release version and unusable with other components such as nova and horizon quantum will be fixed in grizzly rc1, due out the 2nd week of March

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
python-django
quantum

References

Related Ubuntu Security Notices (USN)

    • USN-1731-1
    • OpenStack Cinder vulnerability
    • 21 February 2013
    • USN-1730-1
    • OpenStack Keystone vulnerabilities
    • 20 February 2013
    • USN-1734-1
    • OpenStack Nova vulnerability
    • 21 February 2013

Other references