[SECURITY] [DLA 3470-1] owslib security update

2023-06-2518:34:53

lists.debian.org

xml

python

parser

owslib

update

entity resolution

debian

file reads

buster

security

debian 10

cve-2023-27476

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

7.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

51.0%

JSON

Debian LTS Advisory DLA-3470-1 [email protected]
https://www.debian.org/lts/security/ Adrian Bunk
June 25, 2023 https://wiki.debian.org/LTS

Package : owslib
Version : 0.17.1-1+deb10u1
CVE ID : CVE-2023-27476
Debian Bug : 1034182

In OWSLib, a Python client library for Open Geospatial web services,
the XML parser did not disable entity resolution which could lead to
arbitrary file reads from an attacker-controlled XML payload.

For Debian 10 buster, this problem has been fixed in version
0.17.1-1+deb10u1.

We recommend that you upgrade your owslib packages.

For the detailed security status of owslib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/owslib

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian11allowslib< 0.23.0-1+deb11u1owslib_0.23.0-1+deb11u1_all.deb
Debian10allowslib-doc< 0.17.1-1+deb10u1owslib-doc_0.17.1-1+deb10u1_all.deb
Debian10allpython-owslib< 0.17.1-1+deb10u1python-owslib_0.17.1-1+deb10u1_all.deb
Debian10allowslib< 0.17.1-1+deb10u1owslib_0.17.1-1+deb10u1_all.deb
Debian11allowslib-doc< 0.23.0-1+deb11u1owslib-doc_0.23.0-1+deb11u1_all.deb
Debian10allpython3-owslib< 0.17.1-1+deb10u1python3-owslib_0.17.1-1+deb10u1_all.deb
Debian11allpython3-owslib< 0.23.0-1+deb11u1python3-owslib_0.23.0-1+deb11u1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	11	all	owslib	< 0.23.0-1+deb11u1	owslib_0.23.0-1+deb11u1_all.deb
Debian	10	all	owslib-doc	< 0.17.1-1+deb10u1	owslib-doc_0.17.1-1+deb10u1_all.deb
Debian	10	all	python-owslib	< 0.17.1-1+deb10u1	python-owslib_0.17.1-1+deb10u1_all.deb
Debian	10	all	owslib	< 0.17.1-1+deb10u1	owslib_0.17.1-1+deb10u1_all.deb
Debian	11	all	owslib-doc	< 0.23.0-1+deb11u1	owslib-doc_0.23.0-1+deb11u1_all.deb
Debian	10	all	python3-owslib	< 0.17.1-1+deb10u1	python3-owslib_0.17.1-1+deb10u1_all.deb
Debian	11	all	python3-owslib	< 0.23.0-1+deb11u1	python3-owslib_0.23.0-1+deb11u1_all.deb