Open Stack

On Sep 29, 2014, at 12:03 PM, Julien Danjou <julien at danjou.info> wrote:

> Hi,
> 
> I was looking at xmlutils today, and I took a look at the history of
> this file that seems to come from a CVE almost 2 years ago.
> 
> What is surprising is that, unless I missed something, the only user of
> that lib is Nova. Other projects such as Keystone or Neutron implemented
> things in a different way.
> 
> It seems that Python fixed that issue with 2 modules released on PyPI:
> 
>  https://pypi.python.org/pypi/defusedxml
>  https://pypi.python.org/pypi/defusedexpat
> 
> I'm no XML expert, and I've only a shallow understanding of the issue,
> but I wonder if we should put some efforts to drop xmlutils and our
> custom XML fixes to used instead these 2 modules.
> 
> Hint appreciated.

I thought those fixes were also eventually rolled into language releases, and we had planned to stop worrying about using xmlutils after we drop python 2.6 support for master. Am I mistaken about those being rolled into the release?

The defused* packages may have been created/released at the same time as, or after, the module in the incubator. If we do need to continue carrying support for the fix I agree that moving to the 3rd party libraries would make sense.

Doug


> 
> -- 
> Julien Danjou
> /* Free Software hacker
>   http://julien.danjou.info */
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev