Hi, I was looking at xmlutils today, and I took a look at the history of this file that seems to come from a CVE almost 2 years ago. What is surprising is that, unless I missed something, the only user of that lib is Nova. Other projects such as Keystone or Neutron implemented things in a different way. It seems that Python fixed that issue with 2 modules released on PyPI: https://pypi.python.org/pypi/defusedxml https://pypi.python.org/pypi/defusedexpat I'm no XML expert, and I've only a shallow understanding of the issue, but I wonder if we should put some efforts to drop xmlutils and our custom XML fixes to used instead these 2 modules. Hint appreciated. -- Julien Danjou /* Free Software hacker http://julien.danjou.info */ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140929/9457a604/attachment.pgp>