[openstack-dev] [oslo] Fate of xmlutils
Doug Hellmann
doug at doughellmann.com
Tue Sep 30 15:07:16 UTC 2014
Yes, I think we are still on track to drop 2.6 support for the servers in Kilo.
This wasn’t used in the client libraries, right?
On Sep 30, 2014, at 10:25 AM, Ben Nemec <openstack at nemebean.com> wrote:
> This was also needed for Python 2.6, right? Do we have confirmation
> that we can drop that for Kilo?
>
> -Ben
>
> On 09/30/2014 08:28 AM, Doug Hellmann wrote:
>> I agree, it sounds like option 2 is safe.
>>
>> Julien, I updated your commit message on https://review.openstack.org/#/c/125021/ to point to this thread.
>>
>> Write-it-down-ly,
>> Doug
>>
>> On Sep 30, 2014, at 7:17 AM, Davanum Srinivas <davanum at gmail.com> wrote:
>>
>>> Julien,
>>>
>>> I believe all the lessons learned from defusedxml (see the release
>>> dates) have been folded back into the different libraries. For example
>>> plain old etree.fromstring() even without any special options is ok
>>> with the specially crafted xml bombs that you can find as test cases
>>> in defusedxml repo. There is some more information here as well
>>> (http://lxml.de/FAQ.html#is-lxml-vulnerable-to-xml-bombs). So at this
>>> point, unless we see a new attack vector other than the ones that
>>> caused folks to whip up defusedxml, we should be good. So Option #2 is
>>> definitely the way to go
>>>
>>> thanks,
>>> dims
>>>
>>> On Tue, Sep 30, 2014 at 3:45 AM, Julien Danjou <julien at danjou.info> wrote:
>>>> On Mon, Sep 29 2014, Joshua Harlow wrote:
>>>>
>>>>> Do we know that the users (keystone, neutron...) aren't vulnerable?
>>>>>
>>>>> From https://pypi.python.org/pypi/defusedxml#python-xml-libraries it sure seems
>>>>> like we would likely still have issues if custom implementations are being
>>>>> used/created. Perhaps we should just use the defusedxml libraries until proven
>>>>> otherwise (better to be safe than sorry).
>>>>
>>>> According to LP#1100282¹, Keystone and Neutron are supposed to not be
>>>> vulnerable with different fixes than Nova.
>>>>
>>>> Since all the solutions are different, I'm not sure it covers the
>>>> problem in its entirety in all cases.
>>>>
>>>> I see 2 options:
>>>> 1. Put effort to move all projects to defusedxml
>>>> 2. Since XML API are going to be deprecated (at least in Nova), move
>>>> xmlutils to Nova and be done with it.
>>>>
>>>> Solution 1 requires a lot more effort, and I wonder if it's worth it.
>>>>
>>>>
>>>> ¹ https://bugs.launchpad.net/bugs/1100282
>>>>
>>>> --
>>>> Julien Danjou
>>>> // Free Software hacker
>>>> // http://julien.danjou.info
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>
>>>
>>>
>>> --
>>> Davanum Srinivas :: https://twitter.com/dims
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list