Open Stack

Yes, I think we are still on track to drop 2.6 support for the servers in Kilo.

This wasn’t used in the client libraries, right?

On Sep 30, 2014, at 10:25 AM, Ben Nemec <openstack at nemebean.com> wrote:

> This was also needed for Python 2.6, right?  Do we have confirmation
> that we can drop that for Kilo?
> 
> -Ben
> 
> On 09/30/2014 08:28 AM, Doug Hellmann wrote:
>> I agree, it sounds like option 2 is safe.
>> 
>> Julien, I updated your commit message on https://review.openstack.org/#/c/125021/ to point to this thread.
>> 
>> Write-it-down-ly,
>> Doug
>> 
>> On Sep 30, 2014, at 7:17 AM, Davanum Srinivas <davanum at gmail.com> wrote:
>> 
>>> Julien,
>>> 
>>> I believe all the lessons learned from defusedxml (see the release
>>> dates) have been folded back into the different libraries. For example
>>> plain old etree.fromstring() even without any special options is ok
>>> with the specially crafted xml bombs that you can find as test cases
>>> in defusedxml repo. There is some more information here as well
>>> (http://lxml.de/FAQ.html#is-lxml-vulnerable-to-xml-bombs). So at this
>>> point, unless we see a new attack vector other than the ones that
>>> caused folks to whip up defusedxml, we should be good. So Option #2 is
>>> definitely the way to go
>>> 
>>> thanks,
>>> dims
>>> 
>>> On Tue, Sep 30, 2014 at 3:45 AM, Julien Danjou <julien at danjou.info> wrote:
>>>> On Mon, Sep 29 2014, Joshua Harlow wrote:
>>>> 
>>>>> Do we know that the users (keystone, neutron...) aren't vulnerable?
>>>>> 
>>>>> From https://pypi.python.org/pypi/defusedxml#python-xml-libraries it sure seems
>>>>> like we would likely still have issues if custom implementations are being
>>>>> used/created. Perhaps we should just use the defusedxml libraries until proven
>>>>> otherwise (better to be safe than sorry).
>>>> 
>>>> According to LP#1100282¹, Keystone and Neutron are supposed to not be
>>>> vulnerable with different fixes than Nova.
>>>> 
>>>> Since all the solutions are different, I'm not sure it covers the
>>>> problem in its entirety in all cases.
>>>> 
>>>> I see 2 options:
>>>> 1. Put effort to move all projects to defusedxml
>>>> 2. Since XML API are going to be deprecated (at least in Nova), move
>>>>  xmlutils to Nova and be done with it.
>>>> 
>>>> Solution 1 requires a lot more effort, and I wonder if it's worth it.
>>>> 
>>>> 
>>>> ¹  https://bugs.launchpad.net/bugs/1100282
>>>> 
>>>> --
>>>> Julien Danjou
>>>> // Free Software hacker
>>>> // http://julien.danjou.info
>>>> 
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Davanum Srinivas :: https://twitter.com/dims
>>> 
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> 
>> 
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> 
> 
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev