PublicDateAtUSN: 2013-02-19
Candidate: CVE-2013-1664
PublicDate: 2013-04-03 00:55:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1664
 https://www.djangoproject.com/weblog/2013/feb/19/security/
 https://ubuntu.com/security/notices/USN-1730-1
 https://ubuntu.com/security/notices/USN-1731-1
 https://ubuntu.com/security/notices/USN-1734-1
 https://ubuntu.com/security/notices/USN-1757-1
Description:
 The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in
 OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and
 Folsom; Cinder Folsom; Django; and possibly other products allow remote
 attackers to cause a denial of service (resource consumption and crash) via
 an XML Entity Expansion (XEE) attack.
Ubuntu-Description: 
Notes: 
 jdstrand> Keystone on 11.10 is a pre-release version and unusable with other
  components such as nova and horizon
 jdstrand> quantum will be fixed in grizzly rc1, due out the 2nd week of March
Bugs: 
 https://bugs.launchpad.net/keystone/+bug/1100282
 https://bugs.launchpad.net/bugs/1130445
Priority: medium
Discovered-by: Jonathan Murray
Assigned-to: 
CVSS: 

Patches_keystone:
upstream_keystone: pending (2013.1~g3)
hardy_keystone: DNE
lucid_keystone: DNE
oneiric_keystone: ignored
precise_keystone: released (2012.1+stable~20120824-a16a0ab9-0ubuntu2.5)
quantal_keystone: released (2012.2.1-0ubuntu1.2)
devel_keystone: not-affected (2013.1.g3-0ubuntu1)

Patches_cinder:
upstream_cinder: pending (2013.1~g3)
hardy_cinder: DNE
lucid_cinder: DNE
oneiric_cinder: DNE
precise_cinder: DNE
quantal_cinder: released (2012.2.1-0ubuntu1.1)
devel_cinder: not-affected (2013.1.g3-0ubuntu1)

Patches_nova:
upstream_nova: pending (2013.1~g3)
hardy_nova: DNE
lucid_nova: DNE
oneiric_nova: released (2011.3-0ubuntu6.12)
precise_nova: released (2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.2)
quantal_nova: released (2012.2.1+stable-20121212-a99a802e-0ubuntu1.2)
devel_nova: not-affected (2013.1.g3-0ubuntu1)

Patches_python-django:
 upstream: https://github.com/django/django/commit/1c60d07ba23e0350351c278ad28d0bd5aa410b40 (1.4)
 upstream: https://github.com/django/django/commit/d19a27066b2247102e65412aa66917aff0091112 (1.3)
upstream_python-django: released (1.4.5-1)
hardy_python-django: ignored (reached end-of-life)
lucid_python-django: released (1.1.1-2ubuntu1.8)
oneiric_python-django: released (1.3-2ubuntu1.6)
precise_python-django: released (1.3.1-4ubuntu1.6)
quantal_python-django: released (1.4.1-2ubuntu0.3)
devel_python-django: not-affected (1.4.5-1)

Patches_quantum:
 upstream: https://review.openstack.org/gitweb?p=openstack%2Fquantum.git;a=commitdiff;h=1f716e3effe1ad6eeb042a11f06a5c89498a34b8
upstream_quantum: pending (2013.1~rc1)
hardy_quantum: DNE
lucid_quantum: DNE
oneiric_quantum: DNE
precise_quantum: not-affected (code-not-present)
quantal_quantum: not-affected (code-not-present)
devel_quantum: not-affected (1:2013.1~rc1-0ubuntu1)