Divya: my question was more about how Keystone is using PySAML2. Does it pass arbitrary user-supplied SAML XML through the library, or does it create the XML itself in ways not directly under the control of an untrusted party? -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1750843 Title: pysaml2 version in global requirements must be updated to 4.5.0 Status in OpenStack Global Requirements: New Bug description: As per security vulnerability CVE-2016-10149, XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response and it has a CVSS v3 Base Score of 7.5. The above vulnerability has been fixed in version 4.5.0 as per https://github.com/rohe/pysaml2/issues/366. The latest version of pysaml2 (https://pypi.python.org/pypi/pysaml2/4.5.0) has this fix. However, the global requirements has the version set to < 4.0.3 https://github.com/openstack/requirements/blob/master/global-requirements.txt#L230 pysaml2>=4.0.2,<4.0.3 https://github.com/openstack/requirements/blob/master/upper-constraints.txt#L347 pysaml2===4.0.2 The version of pysaml2 supported for OpenStack should be updated such that OpenStack deployments are not vulnerable to the above mentioned CVE. pysaml2 is used by OpenStack Keystone for identity Federation. This bug in itself is not a security vulnerability but not fixing this bug causes OpenStack deployments to be vulnerable. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-requirements/+bug/1750843/+subscriptions