| 2021-12-06 15:52:00 |
Corey Bryant |
bug |
|
|
added bug |
| 2021-12-06 15:52:11 |
Corey Bryant |
bug |
|
|
added subscriber MIR approval team |
| 2021-12-06 15:52:33 |
Corey Bryant |
description |
[MIR] python-xmlschema
[Availability]
Currently in universe
[Rationale]
New versions of python-pysaml2 have a hard dependency on python-xmlschema.
commit 3b707723dcf1bf60677b424aac398c0c3557641d from pysaml2 (https://github.com/IdentityPython/pysaml2.git) introduced the dependency on xmlschema:
commit 3b707723dcf1bf60677b424aac398c0c3557641d
Author: Ivan Kanakarakis <ivan.kanak@gmail.com>
Date: Sat Jan 9 00:31:13 2021 +0200
Fix CVE-2021-21238 - SAML XML Signature wrapping
All users of pysaml2 that use the default `CryptoBackendXmlSec1` backend and need to
verify signed SAML documents are impacted. `pysaml2 <= 6.4.1` does not validate the SAML
document against an XML schema. This allows invalid XML documents to trick the
verification process, by presenting elements with a valid signature inside elements
whose content has been malformed. The verification is offloaded to `xmlsec1` and
`xmlsec1` will not validate every signature in the given document, but only the first it
finds in the given scope.
Credits for the report:
- Victor Schönfelder Garcia (isits AG International School of IT Security)
- Juraj Somorovsky (Paderborn University)
- Vladislav Mladenov (Ruhr University Bochum)
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
[Security]
No security history
[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build.
[Dependencies]
Depends on python3-elementpath which is in universe.
[Standards Compliance]
FHS and Debian Policy compliant
[Maintenance]
Simple python package that the OpenStack Team will take care of
[Background]
The xmlschema library is an implementation of XML Schema for Python (supports Python 3.6+).
This library arises from the needs of a solid Python layer for processing XML Schema based files for MaX (Materials design at the Exascale) European project. A significant problem is the encoding and the decoding of the XML data files produced by different simulation software. Another important requirement is the XML data validation, in order to put the produced data under control. The lack of a suitable alternative for Python in the schema-based decoding of XML data has led to build this library. Obviously this library can be useful for other cases related to XML Schema based processing, not only for the original scope.
The full xmlschema documentation is available at https://xmlschema.readthedocs.io/en/latest/
--------------------------------------------------------------------------------------------
[MIR] elementpath
[Availability]
Currently in universe
[Rationale]
New versions of python3-pysaml2 have a hard dependency on python3-xmlschema, which has a hard dependency on python3-elementpath.
[Security]
No security history
[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build.
[Dependencies]
All are in main
[Standards Compliance]
FHS and Debian Policy compliant
[Maintenance]
Simple python package that the OpenStack Team will take care of
[Background]
Provides XPath 1.0 and 2.0 selectors for Python's ElementTree XML data structures, both for the standard ElementTree library and for the lxml.etree library.
https://github.com/sissaschool/elementpath |
[MIR] python-xmlschema
[Availability]
Currently in universe
[Rationale]
New versions of python-pysaml2 have a hard dependency on python-xmlschema.
commit 3b707723dcf1bf60677b424aac398c0c3557641d from pysaml2 (https://github.com/IdentityPython/pysaml2.git) introduced the dependency on xmlschema:
commit 3b707723dcf1bf60677b424aac398c0c3557641d
Author: Ivan Kanakarakis <ivan.kanak@gmail.com>
Date: Sat Jan 9 00:31:13 2021 +0200
Fix CVE-2021-21238 - SAML XML Signature wrapping
All users of pysaml2 that use the default `CryptoBackendXmlSec1` backend and need to
verify signed SAML documents are impacted. `pysaml2 <= 6.4.1` does not validate the SAML
document against an XML schema. This allows invalid XML documents to trick the
verification process, by presenting elements with a valid signature inside elements
whose content has been malformed. The verification is offloaded to `xmlsec1` and
`xmlsec1` will not validate every signature in the given document, but only the first it
finds in the given scope.
Credits for the report:
- Victor Schönfelder Garcia (isits AG International School of IT Security)
- Juraj Somorovsky (Paderborn University)
- Vladislav Mladenov (Ruhr University Bochum)
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
[Security]
No security history
[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build.
[Dependencies]
Depends on python3-elementpath which is in universe.
[Standards Compliance]
FHS and Debian Policy compliant
[Maintenance]
Simple python package that the OpenStack Team will take care of
[Background]
The xmlschema library is an implementation of XML Schema for Python (supports Python 3.6+).
This library arises from the needs of a solid Python layer for processing XML Schema based files for MaX (Materials design at the Exascale) European project. A significant problem is the encoding and the decoding of the XML data files produced by different simulation software. Another important requirement is the XML data validation, in order to put the produced data under control. The lack of a suitable alternative for Python in the schema-based decoding of XML data has led to build this library. Obviously this library can be useful for other cases related to XML Schema based processing, not only for the original scope.
The full xmlschema documentation is available at https://xmlschema.readthedocs.io/en/latest/
-------------------------------------------------------------------------
[MIR] elementpath
[Availability]
Currently in universe
[Rationale]
New versions of python3-pysaml2 have a hard dependency on python3-xmlschema, which has a hard dependency on python3-elementpath.
[Security]
No security history
[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build.
[Dependencies]
All are in main
[Standards Compliance]
FHS and Debian Policy compliant
[Maintenance]
Simple python package that the OpenStack Team will take care of
[Background]
Provides XPath 1.0 and 2.0 selectors for Python's ElementTree XML data structures, both for the standard ElementTree library and for the lxml.etree library.
https://github.com/sissaschool/elementpath |
|
| 2021-12-07 15:46:12 |
Christian Ehrhardt |
python-xmlschema (Ubuntu): assignee |
|
James Page (james-page) |
|
| 2021-12-07 16:22:16 |
James Page |
bug task added |
|
elementpath (Ubuntu) |
|
| 2021-12-07 16:22:33 |
James Page |
elementpath (Ubuntu): assignee |
|
James Page (james-page) |
|
| 2021-12-07 16:22:36 |
James Page |
elementpath (Ubuntu): status |
New |
In Progress |
|
| 2021-12-07 16:22:38 |
James Page |
python-xmlschema (Ubuntu): status |
New |
In Progress |
|
| 2021-12-07 16:32:54 |
James Page |
summary |
[MIR] python-xmlschema, elementpath |
[MIR] python-xmlschema, elementpath, importlib-resources |
|
| 2021-12-07 16:33:04 |
James Page |
bug task added |
|
importlib-resources (Ubuntu) |
|
| 2021-12-07 16:33:10 |
James Page |
importlib-resources (Ubuntu): assignee |
|
James Page (james-page) |
|
| 2021-12-07 16:33:14 |
James Page |
importlib-resources (Ubuntu): status |
New |
In Progress |
|
| 2021-12-07 16:35:11 |
James Page |
description |
[MIR] python-xmlschema
[Availability]
Currently in universe
[Rationale]
New versions of python-pysaml2 have a hard dependency on python-xmlschema.
commit 3b707723dcf1bf60677b424aac398c0c3557641d from pysaml2 (https://github.com/IdentityPython/pysaml2.git) introduced the dependency on xmlschema:
commit 3b707723dcf1bf60677b424aac398c0c3557641d
Author: Ivan Kanakarakis <ivan.kanak@gmail.com>
Date: Sat Jan 9 00:31:13 2021 +0200
Fix CVE-2021-21238 - SAML XML Signature wrapping
All users of pysaml2 that use the default `CryptoBackendXmlSec1` backend and need to
verify signed SAML documents are impacted. `pysaml2 <= 6.4.1` does not validate the SAML
document against an XML schema. This allows invalid XML documents to trick the
verification process, by presenting elements with a valid signature inside elements
whose content has been malformed. The verification is offloaded to `xmlsec1` and
`xmlsec1` will not validate every signature in the given document, but only the first it
finds in the given scope.
Credits for the report:
- Victor Schönfelder Garcia (isits AG International School of IT Security)
- Juraj Somorovsky (Paderborn University)
- Vladislav Mladenov (Ruhr University Bochum)
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
[Security]
No security history
[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build.
[Dependencies]
Depends on python3-elementpath which is in universe.
[Standards Compliance]
FHS and Debian Policy compliant
[Maintenance]
Simple python package that the OpenStack Team will take care of
[Background]
The xmlschema library is an implementation of XML Schema for Python (supports Python 3.6+).
This library arises from the needs of a solid Python layer for processing XML Schema based files for MaX (Materials design at the Exascale) European project. A significant problem is the encoding and the decoding of the XML data files produced by different simulation software. Another important requirement is the XML data validation, in order to put the produced data under control. The lack of a suitable alternative for Python in the schema-based decoding of XML data has led to build this library. Obviously this library can be useful for other cases related to XML Schema based processing, not only for the original scope.
The full xmlschema documentation is available at https://xmlschema.readthedocs.io/en/latest/
-------------------------------------------------------------------------
[MIR] elementpath
[Availability]
Currently in universe
[Rationale]
New versions of python3-pysaml2 have a hard dependency on python3-xmlschema, which has a hard dependency on python3-elementpath.
[Security]
No security history
[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build.
[Dependencies]
All are in main
[Standards Compliance]
FHS and Debian Policy compliant
[Maintenance]
Simple python package that the OpenStack Team will take care of
[Background]
Provides XPath 1.0 and 2.0 selectors for Python's ElementTree XML data structures, both for the standard ElementTree library and for the lxml.etree library.
https://github.com/sissaschool/elementpath |
[MIR] python-xmlschema
[Availability]
Currently in universe
[Rationale]
New versions of python-pysaml2 have a hard dependency on python-xmlschema.
commit 3b707723dcf1bf60677b424aac398c0c3557641d from pysaml2 (https://github.com/IdentityPython/pysaml2.git) introduced the dependency on xmlschema:
commit 3b707723dcf1bf60677b424aac398c0c3557641d
Author: Ivan Kanakarakis <ivan.kanak@gmail.com>
Date: Sat Jan 9 00:31:13 2021 +0200
Fix CVE-2021-21238 - SAML XML Signature wrapping
All users of pysaml2 that use the default `CryptoBackendXmlSec1` backend and need to
verify signed SAML documents are impacted. `pysaml2 <= 6.4.1` does not validate the SAML
document against an XML schema. This allows invalid XML documents to trick the
verification process, by presenting elements with a valid signature inside elements
whose content has been malformed. The verification is offloaded to `xmlsec1` and
`xmlsec1` will not validate every signature in the given document, but only the first it
finds in the given scope.
Credits for the report:
- Victor Schönfelder Garcia (isits AG International School of IT Security)
- Juraj Somorovsky (Paderborn University)
- Vladislav Mladenov (Ruhr University Bochum)
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
[Security]
No security history
[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build.
[Dependencies]
Depends on python3-elementpath which is in universe.
[Standards Compliance]
FHS and Debian Policy compliant
[Maintenance]
Simple python package that the OpenStack Team will take care of
[Background]
The xmlschema library is an implementation of XML Schema for Python (supports Python 3.6+).
This library arises from the needs of a solid Python layer for processing XML Schema based files for MaX (Materials design at the Exascale) European project. A significant problem is the encoding and the decoding of the XML data files produced by different simulation software. Another important requirement is the XML data validation, in order to put the produced data under control. The lack of a suitable alternative for Python in the schema-based decoding of XML data has led to build this library. Obviously this library can be useful for other cases related to XML Schema based processing, not only for the original scope.
The full xmlschema documentation is available at https://xmlschema.readthedocs.io/en/latest/
-------------------------------------------------------------------------
[MIR] elementpath
[Availability]
Currently in universe
[Rationale]
New versions of python3-pysaml2 have a hard dependency on python3-xmlschema, which has a hard dependency on python3-elementpath.
[Security]
No security history
[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build.
[Dependencies]
All are in main
[Standards Compliance]
FHS and Debian Policy compliant
[Maintenance]
Simple python package that the OpenStack Team will take care of
[Background]
Provides XPath 1.0 and 2.0 selectors for Python's ElementTree XML data structures, both for the standard ElementTree library and for the lxml.etree library.
https://github.com/sissaschool/elementpath
-------------------------------------------------------------------------
[MIR] importlib-resources
[Availability]
Currently in universe
[Rationale]
New versions of python3-pysaml2 have a hard dependency on importlib-resources - this is a backport of the importlib.resources module found in Python 3.9 or later. Why do we need this module then? Well for OpenStack it will be backported to Focal which uses a pre 3.9 Python version.
[Security]
No security history
[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build.
[Dependencies]
All are in main
[Standards Compliance]
FHS and Debian Policy compliant
[Maintenance]
Simple python package that the OpenStack Team will take care of |
|
| 2021-12-09 13:23:30 |
James Page |
importlib-resources (Ubuntu): status |
In Progress |
Fix Committed |
|
| 2021-12-09 13:32:46 |
James Page |
elementpath (Ubuntu): status |
In Progress |
Fix Committed |
|
| 2021-12-09 13:41:10 |
James Page |
python-xmlschema (Ubuntu): status |
In Progress |
New |
|
| 2021-12-09 13:41:22 |
James Page |
python-xmlschema (Ubuntu): assignee |
James Page (james-page) |
Ubuntu Security Team (ubuntu-security) |
|
| 2021-12-10 17:26:30 |
Steve Langasek |
elementpath (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2021-12-10 17:27:02 |
Steve Langasek |
importlib-resources (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2022-01-18 16:43:43 |
James Page |
python-xmlschema (Ubuntu): milestone |
|
ubuntu-22.04-feature-freeze |
|
| 2022-01-19 13:56:09 |
Christian Ehrhardt |
python-xmlschema (Ubuntu): importance |
Undecided |
High |
|
| 2022-03-29 04:29:44 |
Alex Murray |
python-xmlschema (Ubuntu): assignee |
Ubuntu Security Team (ubuntu-security) |
|
|
| 2022-03-29 05:36:43 |
Christian Ehrhardt |
python-xmlschema (Ubuntu): status |
New |
Incomplete |
|
| 2022-03-30 17:58:42 |
Corey Bryant |
python-xmlschema (Ubuntu): status |
Incomplete |
New |
|
| 2022-03-31 08:04:03 |
Christian Ehrhardt |
python-xmlschema (Ubuntu): status |
New |
In Progress |
|
| 2022-03-31 08:04:12 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Package Archive Administrators |
| 2022-04-08 20:22:14 |
Christian Ehrhardt |
python-xmlschema (Ubuntu): status |
In Progress |
Fix Released |
|
