Source: owslib X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for owslib. CVE-2023-27476[0]: | OWSLib is a Python package for client programming with Open Geospatial | Consortium (OGC) web service interface standards, and their related | content models. OWSLib's XML parser (which supports both `lxml` and | `xml.etree`) does not disable entity resolution, and could lead to | arbitrary file reads from an attacker-controlled XML payload. This | affects all XML parsing in the codebase. This issue has been addressed | in version 0.28.1. All users are advised to upgrade. The only known | workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` | for details. https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-27476 https://www.cve.org/CVERecord?id=CVE-2023-27476 Please adjust the affected versions in the BTS as needed.