CVE-2016-9910

Advisory

Pywbem 0.13.0 updates its dependency 'html5lib' to v0.999999999 to include security fixes.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

--------------

Released: 2019-02-23

This version contains all fixes up to pywbem 0.12.6.

**Incompatible changes:**

* Changed the `path` argument of `CIMInstance` to be deep copied, because it
may be modified by setting properties. It was previously shallow copied
(and incorrectly documented as not being copied). This is only incompatible
if user code relies on the init method modifying the keybindings of its
`path` input argument. If user code relies on that, it is highly recommended
that you decouple such dependencies (Issue 1251).

* Changed the `path` argument of `CIMClass` to be shallow copied, in order
to decouple the created object from its input arguments. It was previously
not copied but referenced. This is only incompatible if user code relies on
the init method modifying the provided `path` input argument. If user code
relies on that, it is highly recommended that you decouple such
dependencies (Issue 1251).

* Changed keybinding processing when creating `CINInstanceName` objects to
disallow NULL keybinding values. This is in accord with the CIM standard
DSP0004.
This is only incompatible if user code relies on the non-standard
behavior of creating a keybinding having `None` as a value.
If your code relies on that non-standard behavior, it can be
re-established by via the config property `IGNORE_NULL_KEY_VALUE` in
config.py. Note that NULL keybindings may be an issue with some WBEM
servers. (Issue 1298)

* The fix for issue 1302 removed the pywbem config variables from the
`pywbem` namespace. They are now only available via the `pywbem.config`
namespace. However, this change should not affect you because the
previously documented approach for changing them through the `pywbem`
namespace did not work, so if you changed the config variables
successfully, you have done that through the `pywbem.config` namespace
already, and this change does not affect you.

* Removed the `ez_setup.py` script from the repository. That script is the
well-known tool that bootstraps `easy_setup` which was used for installing
Python packages in times before `pip` became ubiquitous. If anyone still
uses `easy_setup` these days for installing Python packages, it is time
to switch to using `pip`. If you cannot do that for some reason, you will
now need to install `easy_setup` by some other means.

* Changed `CIMError` exceptions raised to indicate incorrect CIM-XML responses
to open/pull operations, to raise `ParseError` instead, consistent with
other response checking (Issue 1320).

**Deprecations:**

* Added announcement that Python 2.6 support in pywbem will be removed in
its future 1.0.0 version.

* Deprecated the `tocimobj()` function because it has some inconsistencies,
in favor of the `cimvalue()` function introduced in pywbem 0.12.0. Changed
all internal uses of `tocimobj()` to `cimvalue()`. (Issue 904).

* The deprecated internal methods `imethodcall()` and `methodcall()` of the
`WBEMConnection` class will be removed in the next pywbem version after
0.13.

* Removed the deprecation for setting the `default_namespace` attribute
of `WBEMConnection` that had been introduced in pywbem 0.12; setting it
is now fully supported again.

**Finalizations:**

* Finalized the `use_pull_operations` property and init argument of the
`WBEMConnections` class that allows controlling whether the `Iter...()`
methods use pull operations or traditional operations.

* Finalized the logging support. The logging support was introduced in
pywbem 0.11 and was redesigned in pywbem 0.12. For details, see the
"WBEM operation logging" section in the pywbem documentation.

**Bug fixes:**

* Fixed the issue where wbemcli-help-txt was not being updated when wbemcli.py
changed. (Issue 1205)

* Test: Fixed access to incorrect tuple members in run_cim_operations.py.
that were used only in long version of the test. Found by Pylint.
(Issue 1206).

* Fixed that `CIMInstanceName.from_wbem_uri()` did not support the
representation of integer key values in binary, octal or hex format
(part of Issue 904).

* Fixed an issue with running the tests on Travis CI that occurred on
Python 2.6 with the latest package level and that was caused by the fact
that a new version of the "httpretty" Python package was released that
had dropped support for Python 2.6. This was fixed by limiting the
version of httpretty to <0.9 when running on Python 2.6. Note that
this only affects the development environment.

* Correct issue in pywbem_mock where we return incorrect CIMError
(CIM_ERR_NOT_FOUND rather than CIM_ERR_METHOD_NOT_FOUND) when the
class for a method is not defined in the methods repository. issue 1256

* Fixed issue in pywbem_mock where we were not creating deepcopy (we were using
the pywbem .copy that is part of each object (see issue 1251) of objects
returned from the repository so that if the objects were modified some of the
changes bled back into the repository. Code modified to do deepcopy of
everything inserted into the repository through add_cimobjects and the
Create... methods and returned from the repository with any of the
get/enumerate/etc. methods. We also modified code so that if there is a
class repository there is also an instance repository even if it
is empty. See issue 1253

* Fixed issue where pywbem_mock EnumerateClass and EnumerateClassNames
parameter losing the ClassName parameter and no test for the ClassName
parameter not existing in the repository. (See issue 1271)

* Correct issue in pywbem_mock where we return incorrect CIMError
(CIM_ERR_NOT_FOUND rather than CIM_ERR_METHOD_NOT_FOUND) when the
class for a method is not defined in the methods repository. issue 1256

* Fix issue causing pywbem_mock/_wbemconnection_mock.py display_repository()
to display as bytes in Python 3. See issue 1276

* Fixed the support for Unicode escape sequences in the MOF compiler. It
supported only lower case `\x1234` but not upper case `\X1234`.
Also, it tolerated an invalid `\x` escape sequence, when DSP0004 requires
1..4 hex characters to be present.
See issue 1278.

* Fixed issue where Null key values allowed. See issue 1298

* Fixed issue with updating pywbem config variables.
So far, the pywbem config variables were defined in the `pywbem.config`
namespace and then imported by pywbem into the `pywbem` namespace.
Pywbem documented that these config variables should be accessed (read
and written) through the `pywbem` namespace. However, pywbem code
read them in nearly all cases from the `pywbem.config` namespace.
This caused an update that is done by a pywbem user through the `pywbem`
namespace, not to be visible in the `pywbem.config` namespace, so pywbem
did not react to the user's change.
This was fixed by only using the `pywbem.config` namespace for config
variables. They are no longer imported into the `pywbem` namespace.
See issue 1302.

* Fixed issue where the `tomof()` methods of `CIMProperty`, `CIMQualifier`,
and `CIMQualifierDeclaration` raised `IndexError` when the value was
an empty array. This issue perculated up to higher level CIM objects
that are using these objects, i.e. `CIMInstance` or `CIMClass`.
Added according testcases.
See issue 1312.

* Fix issue in IterQueryInstances where the QueryLanguage and Query parameters
were reveresed in the fallback call to ExecQuery method. See issue 1334.

* Fixed the issue that the VALUE.OBJECTWITHLOCALPATH element was not allowed
as a child element under IRETURNVALUE. This element is used as one
possibility for the result of the ExecQuery operation.
See issue 1347.

* Fixed issue in run_cimoperations.py with test for deep inheritance on
EnumerateInstances. It was reporting confused result so we created a simpler
test. See issue 477.

* Fixed issues in pywbem_mock where classnames on the operation requests were
not treated as case insensitive for some operations, in particular the
enumerate operations, reference operations, and associator operations. This
also adds a number of tests to validate that classnames. See issue 1355.

* Fixed the issue that INSTANCE child elements on a returned ERROR element
were not allowed. INSTANCE child elements are now allowed and will appear
to the user as a list of `CIMInstance` objects in a new `instances` property
of the `CIMError` exception that is raised. See issue 1380.

* Fixed issue in mof_compiler search_paths where doc defined iterable as
input but since string is an interable it was allowed but misused. Extended
code to specifically allow single string on input. See issue 1227.

* Increased the minimum required versions of the following dependent Python
packages in order to fix security issues with these packages:

- requests from 2.12.4 to 2.19.1
- html5lib from 0.9999999 to 0.999999999
- mistune from 0.7.3 to 0.8.1

* The `ValueMapping` class only supported decimal representations of integer
values in the `ValueMap` qualifier. However, DSP0004 allows for decimal,
binary, octal and hexadecimal representations of integer values. Added support
for all these representations to the `ValueMapping` class.
See issue 1547.

* Multiple fixes in `WBEMServer.get_central_instances()`:

- For a profile that implements the central class methodology but has no
central instances, the implementation went on to try the scoping class
methodology. Now, it accepts that as a valid central instance implementation
and returns an empty list of instances, instead.
Non-implementation of the central class methodology is not detected
from CIM_ERR_NOT_SUPPORTED being returned on the Associators operation
that attempts to traverse the CIM_ElementConformsToProfile association.

- For a profile that implements the scoping class methodology, the
traversal from the profile side to the resource side incorrectly
assumed that for multi-hop scoping paths, the hops above the first hop
could be used as the scoping path of the scoping profile. That has
been changed to now omit the scoping path when invoking
`get_central_instances()` on the scoping profile. As a result, the
scoping profile is now required to implement the central class
methodology.

- For a profile that implements the scoping class methodology, the
traversal from the central instances of the scoping profile down
to the central instances of the original profile incorrectly only
traversed the first hop of the reversed scoping path. This has been
fixed to traverse the entire reversed scoping path.

- In the recursive invocation of `get_central_instances()` for the scoping
profile, the newly introduced reference direction was not passed on.
For now, it is assumed that the scoping profile has the same
reference direction as the original profile.

- Because it seems that with these bugs, the `get_central_instances()`
method cannot have been used reasonably, some `ValueError` exceptions`
it returned to indicate server implementation issues, have been
changed to use the newly introduced `ModelError` exception.

* For Python 2.6, pinned version of lxml to <4.3.0, because lxml 4.3.0 has
removed support for Python 2.6. See issue 1592.

* Fixed the URL on the DMTF site from which the MOF archive is downloaded.
This has changed on the DMTF site and needed to be adjusted.

* Fixed order of parameters in example method_callback_interface defined in
pywbem_mock FakedWBEMConnection. (See issue 1614)

* Fixed an error "Python : can't open file 'C:\Users\firstname' :
No such file or directory" when invoking wbemcli.bat on native Windows
in a directory whose path name contained blanks. (See issue 1622)

* Extend pywbem_mock to correctly handle resolving of classes when they are
inserted into the repository. Resolving of classes configures a class
inserted with CreateClass or through the mocker add_cimobjects, etc. to
reflect the inheritance of properties, methods, etc. from the superclass.
The initial release did a very abbreviated resolution which left some
characteristics of the new class and did not properly handle things like
the override qualifier. (See issue 1540). This change also simplifies
the mocker in that both the compiler and the mock responder methods
contribute to the same repository (the original version copied objects
from the compiler repository to the mocker repository).

* Test: Fixed a bytes/unicode error in validate.py that occurred on Python 3
when xmllint failed validating the DTD.

* Increased the minimum M2Crypto version to 0.31.0 in order to pick
up the fix for pywbem issue 1275 (incorrect timeout value).

* Added the Pyton `tox` package to the dependencies for development.

**Enhancements:**

* Extend pywbem MOF compiler to search for dependent classes including:

a) reference classes (classes defined in reference properties or parameters)

b) EmbeddedInstance qualifier classes if they are not compiled before the
classes that reference them are compiled. Previously the lack of these
dependent classes was ignored. The compiler already searches for
superclasses if they are not compiled before their subclasses.

Extends MOFWBEMConnection to generate an exception if the compile of a
class with reference parameters or properties reference class is not in the
repository or if the class defined for an EmbeddedInstance qualifier is
not in the repository.

This uses the capability in the MOF compiler to search the defined
search path for the missing classes if they are not in the repository.

This means that the mof_compiler can be used to create a complete class
repository builds without having to specifically declare all dependent
classes for the classes the user needs in a repository if the mof for the
dependent classes in in the search path. (Issue 1160).

* Made `CIMInstanceName.from_wbem_uri()` and `CIMClassName.from_wbem_uri()`
more flexible w.r.t. tolerating non-standard WBEM URIs that omit the leading
colon before class names (part of Issue 904).

* Added a `tobinary()` method to the `ValueMapping` class, which translates the
value mapping from a `Values` string to binary integer values, or a range
thereof. This is the opposite direction of the existing `tovalues()` method.
(Issue 1153)

* Added an `items()` generator method to the `ValueMapping` class for iterating
through the items of the value mapping, returning tuples of the binary value
(or a range thereof), and the `Values` string. (Issue 1153)

* Docs: Clarified that the `copy()` methods of `NocaseDict` and of the CIM object
classes produce middle-deep copies, whereby mutable leaf attributes are not
copied and thus are shared between original and copy (Issue 1251).

* Docs: Added a note to the description of the `copy()` methods of the CIM
objects that states that `copy.copy()` and `copy.deepcopy()` can be used
to create completely shallow or completely deep copies (Issue 1251).

* Extend wbemcli to use pywbem_mock with a new command line parameter
(--mock_server <mock_info-filename>). Added a set of new tests for this
parameter and a MOF file and test code to test the new option.
(Issue 1268)

* Installation on Windows is now more automated by means of a new
`pywbem_os_setup.bat` script. As part of that, the latest `M2Crypto` version
0.30.1 is now used on Windows, and no longer the somewhat aged versions in
the `M2CryptoWin32/64` packages. For details, see the installation section
in the documentation. That script also downloads and installs Win32 OpenSSL
from https://slproweb.com/products/Win32OpenSSL.html.

* Made exception messages more explicit in the ValueMapping and WBEMServer
classes. Issue 1281.

* Docs: Added a shell command for determining the version of an installed
pywbem package, that covers all released pywbem versions (Issue 1246).

* Docs: Added jupyter notebooks to demonstrate use of pywbem_mock.

* Make: Eliminated the confusing but unproblematic error message about
pbr importing when running certain make targets in a freshly created
Python environment. Issue 1288.

* In `MOFCompiler.__init__()`, added a type check for the search_paths parameter
to avoid accidential passing of a single string. Issue 1292.

* Add new static method to CIMInstance (from_class) that builds an
instance from a class and dictionary of property values. Issue 1188

* Added support for tolerating a `TYPE` attribute in the `PARAMVALUE` element
of received CIM-XML responses. The `TYPE` attribute is not allowed as
per DSP0201. However, there are devices that have incorrectly implemented
a `TYPE` attribute instead of the standard `PARAMTYPE` attribute.
The `TYPE` attribute when present is now used when `PARAMTYPE` is not
present. If both are present, `PARAMTYPE` is used and `TYPE` is ignored.
Also, test cases were added for tupleparse for the `PARAMVALUE` element.
See issue 1241.

* Added support for automatically creating the `Pragma: UpdateExpiredPassword`
HTTP header in the CIM-XML request if pywbem detects that the special SFCB
method "UpdateExpiredPassword()" is invoked on class "SFCB_Account". SFCB
requires this HTTP header for that method.
See https://sblim.sourceforge.net/wiki/index.php/SfcbExpiredPasswordUpdate for
details about this SFCB functionality.
The automatic creation of the header field is enabled by default and can be
disabled with a new pywbem config variable `AUTO_GENERATE_SFCB_UEP_HEADER`.
See issue 1326.

* Add support for ExecQuery (shortcut eqy) to wbemcli. See issue 1332.

* Added support for a new WBEM URI format "canonical" to the `to_wbem_uri()`
methods of `CIMInstanceName` and `CIMClassName`. The new format behaves
like the existing format "standard", except that case insensitive
components are translated to lower case, and the order of keybindings
is the lexical order of the lower-cased key names. The new format
guarantees that two instance paths or class paths that are equal
according to DSP0004, return equal WBEM URI strings.
See issue 1323.

* Added support for Python 3.7, which was released 2018-06-27.

* Enhanced the output of the string representation of the `CIMError`
exception by adding the status code name (e.g. the string
"CIM_ERR_NOT_SUPPORTED" for status code 7). The string representation
is used for example when showing the exception in a Python traceback.
See issue 1350.

* Added checking for the returned instance name to the CreateInstance
operation. This changes the exception that is raised from `TypeError` or
`IndexError` indicating an internal issue, to several `pywbem.ParseError`
exceptions that have reasonable error messages.
Note that there is an uncertainty as to whether DSP0200 would allow
CreateInstance to not return an instance name. Because this would already
have caused an exception to be raised in the current pywbem code, it is
assumed that all WBEM server implementations so far always return the
instance name, and therefore, pywbem has just improved the quality of the
exception that is raised, and continues not to tolerate a missing instance
name.
Extended the testcases for CreateInstance accordingly.
See issue 1319.

* Added support for CIM namespace creation via a new
`WBEMServer.create_namespace()` method. See issue 29.

* Added support for CIM namespace deletion via a new
`WBEMServer.delete_namespace()` method. See issue 1356.

* Added connection information to all pywbem exceptions. This is done via a
new optional `conn_id` keyword argument that was added to all pywbem
exception classes. The exception message now has a connection information
string at its end. See issue 1155.

* Added support for passing a `WBEMConnection` object for the handle
parameter of the `MOFCompiler` creation. This allows a user to pass
the WBEM connection directly as a CIM repository, without first having
to create a MOFWBEMConnection object.

* Made the namespace handling in the pywbem mock support explicit. It is now
required to add any namespaces to the mock registry in a `FakedWBEMConnection`
object. A method `add_namespace()` has been added for easy setup of the
mock repository w.r.t. namespaces. The default namespace of the connection is
added automatically when creating a `FakedWBEMConnection` object.

Extended the support for handling namespace creation in the faked
CreateInstance operation to support `CIM_Namespace` in addition to
`PG_Namespace`, and improved it to properly reflect the created namespace
in the mock repository.

Added support for handling namespace deletion in the faked DeleteInstance
operation for creation classes `CIM_Namespace` and `PG_Namespace`.

* Added support for asterisks in CIM datetime values to the `pywbem.CIMDateTime`
class, as defined in DSP0004 for representing insignificant digits. Changed
the format returned by its `__repr()__` method so that it now shows its
internal attributes and no longer the string representation of the value.
Added a `__repr__()` method to the `pywbem.MinutesFromUTC` class that shows
its internal attributes. See issue 1379.

* Added an `instances` property to the `CIMError` exception class that can
be used to represent a list of error instances returned by the WBEM server
in error responses. See issue 1380.

* Pywbem now ensures that when specifying the `default_namespace` argument
of `WBEMConnection()` as `None`, or when setting the `default_namespace`
attribute of an already existing `WBEMConnection` object to `None`, that it
is set to the built-in default namespace "root/cimv2", instead. Previously,
that was done only when not specifying the `default_namespace` argument.

* All exception and warning messages produced by pywbem now are guaranteed to
contain only ASCII characters. Unicode characters in the messages are
represented using an escape syntax such as `\\uXXXX` or `\\U00XXXXXX`.
That was also done for the result of any `__repr__()` methods of pywbem.
This is important in order to avoid secondary Unicode encoding exceptions
while a first exception or warning is processed. See issue 1072.

* Docs: Added summary tables for public methods and public attributes exposed
by classes defined by the "pywbem" and "pywbem_mock" Python packages,
including any methods and attributes inherited from base classes.
See issue 1417.

* Improved the `brand` and `version` attributes of the `WBEMServer` class
so that they produce reasonable results for more types of WBEM servers
than just OpenPegasus and SFCB. The WBEM servers that are now recognized,
are:

* ``"OpenPegasus"``
* ``"SFCB"`` (Small Footprint CIM Broker)
* ``"WBEM Solutions J WBEM Server"``
* ``"EMC CIM Server"``
* ``"FUJITSU CIM Object Manager"``

See issue 1422.

* Added `__str__()` methods to the `WBEMServer`, `WBEMListener`, and
`WBEMSubscriptionManager` classes in order to reduce the amount of
information. Previously, this defaulted to the result of `__repr__()`.
See issue 1424.

* Improved the quality of any `ParseError` exception messages when the SAX
parser detects errors in CIM-XML responses. See issue 1438.

* Added a `ToleratedServerIssueWarning` class and its base class `Warning`.
The new `ToleratedServerIssueWarning` is raised in cases when the WBEM server
exhibits some incorrect behavior that is tolerated by pywbem.

* Added a `ModelError` exception class that indicates an error with the model
implemented by the WBEM server, that was detected by the pywbem client.

* Added support for tolerating ill-formed XML in the CIM-XML response returned
by the server from the attempt to invoke the CIM method GetCentralInstances()
inside of `WBEMServer.get_central_instances()`. One server was found to
return such ill-formed XML. This now causes pywbem to issue a
`ToleratedServerIssueWarning` and to continue with the next approach for
determining the central instances. See issue 1438.

* The `last_raw_request` and `last_raw_reply` properties of `WBEMConnection`
had previously only been set when debug was enabled on the connection.
They are now always set. This was needed to support tolerating ill-formed
XML, and does not cost any additional conversions.
See issues 1438 and 1568.

* In the `WBEMServer` class, the Interop namespace is now added to the set
of namespaces in the `namespaces` property, if missing there. This
accomodates the behavior of a particular WBEM server that was found to
support the Interop namespace without representing it as a CIM instance.
See issue 1430.

* Added support for specifying the reference direction in
`WBEMServer.get_central_instances()` by adding an optional parameter
`reference_direction`. This was necessary because the DMTF 'Profile
Registration Profile' (PRP) and the SNIA PRP use the CIM_ReferencedProfile
association class in opposite ways: The DMTF PRP defines that the
'Dependent' end of that class goes to the referencing profile which
is defined to be the autonomous profile, while the SNIA PRP defines that
the 'Antecedent' end goes to the autonomous profile.
See issue 1411.

* In order to be able to distinguish errors at the CIM-XML level (e.g.
required attribute missing on an XML element) and at the XML level
(e.g. ill-formed XML), two subclasses of the `ParseError` exception
have been added: `CIMXMLParseError` and `XMLParseError`, that are
now raised instead of `ParseError`. Because these are subclasses,
this change is backwards compatible for users that have caught
`ParseError`. The new subclasses have the CIM-XML request and
response data available as properties.

* The `WBEMServer.get_selected_profiles()` method has been changed to
match the registered names, organisations and versions of profiles
case insensitively, in order to better deal with profile name changes
in SMI-S. See issue 1551.

* Docs: Clarified in the WBEMServer.get_central_instances() method that
all profiles scoped by a top-level specification or autonomous profile
implement the same reference direction ('snia' or 'dmtf').

* Docs: The WBEMServer.get_central_instances() method had a description
of the profile advertisement methodologies that was hard to understand
without knowledge of some of the related DMTF standards. Changed that
to make it understandable for pywbem users without requiring knowledge
of these documents. Some of the text has been moved to a new section
"Profile advertisement methodologies" in the Appendix of the pywbem
documentation. As part of that, clarified how to determine the scoping
class and scoping path for a component profile that does not specify
them in the profile description. See issue 1398.

* Corrected the hint how to exit in wbemcli when running on Windows.

* Added method to statistics (class Statistics, method reset()) to reset
the statistics on a WBEMConnection. This simply resets all of the statistics
values gathered on that connection to their initial values.

**Cleanup:**

* Moved class `NocaseDict` into its own module (Issue 848).

* Resolved several Pylint issues, including several fixes (Issue 1206).

* Cleanup mof_compiler use of args[0] and args[1] with CIMError. (Issue 1221)

* Removed one level of superflous copies of dictionaries in the `copy()`
methods of the CIM object classes. These dictionaries are already copied
in the setter methods for the respective attributes (Issue 1251).

* Added and improved CIM-XML response checks at operation level (Issue 919).

* Changed some warnings classified as `UserWarning` to be classified as
`pywbem.ToleratedServerIssueWarning`, because that better fits the nature
of the warnings. See issue 1595.

* Removed the Connection ID from any exception and warning messages, so that
Python warnings about the same thing are now properly folded together into
one warning during end2end tests. The exception objects still contain
the connection ID as a property `conn_id`, and the pywbem log also still
shows the connection ID for each entry. See issue 1589.

**Build, test, quality:**

* Add tests for the `WBEMSubscriptionManager` class using the pywbem mock
support. This involved
changing the tests for the `WBEMServer` class using pywbem_mock because the the
WBEMSubscriptionManager class depends on the existence of the classes and
instances that support the pywbem WbemServer class existing in the WBEM
server. A new file (wbemserver_mock.py) was added to the tests
that creates the pywbem_mock for any tests that depend on classes like
CIM_Namespace, CIM_ObjectManager existing in the mocked server. See issue
1250

* Needed to upgrade PyYAML version from >=3.12 to >=3.13 due to an issue
in PyYAML on Python 3.7, that was fixed in PyYAML 3.13.
See issue 1337.

* Pinned the version of the pytest-cov package to <2.6 due to the fact that
pytest-cov 2.6.0 has increased its version requirement for the coverage
package from coverage>=3.7.1 to coverage>=4.4. That is in conflict with
the version requirement of python-coveralls for coverage==4.0.3.
This is only a workaround; An issue against python-coveralls has been
opened: https://github.com/z4r/python-coveralls/issues/66

* Reorganized the `testsuite` directory to better separate unit tests,
function tests, end2end tests, and the tested areas (pywbem, pywbem_mock, and
test utility functions). The new top level test directory is now named
`tests` and the new directrory structure is documented in section
"Testing" in the development section of the pywbem documentation and in the
file `tests/README`.

* Added the concept of end2end tests for pywbem.
The end2end tests execute test files named `test_*.py` within the
`tests/end2endtest` directory against groups of real WBEM servers defined
by a WBEM server definition file in YAML syntax:
`tests/server_definitions/server_definition_file.yml`.
There is an example file `example_server_definition_file.yml`.
There are some initial tests, and users can define their own tests.

* For the end2end tests, added a file `tests/profiles/profiles.yml` that
defines the discovery-related characteristics of a number of DMTF and SNIA
management profiles, and that is used to drive profile discovery related
tests against WBEM servers.

* Added toleration support in the CIM-XML response parsing for WBEM servers
that return attribute `TYPE` with an empty string instead of omitting it.
As part of that, improved the checking for valid values of the TYPE
attribute. See issue 1564.

* Improved testing of the `tocimxml()` and `tocimxmlstr()` methods of the CIM
object classes (e.g. `CIMinstance`) by adding validation against the CIM-XML
DTD, and by adding tests for the `indent` parameter of `tocimxmlstr()`.

* Added support for running pylint also on Python 3.x. See issue 1640.

* Improved the makefile for use on native Windows. See issue 1631. Details:

- Some GNU make versions on native Windows have an issue with double
quotes in make $(shell ..) commands; removed the use of double quotes.
As a result, most inline python commands have been moved into new small
scripts in the tools directory.
Also, several make targets that used to produce log files,
no longer can do that and the user needs to redirect the make invocation
in order to get a log file.

- Removed dependencies on most UNIX-like commands (touch, tee, bash, rm,
find, xargs) when using make on native Windows.

- Encapsulated file removal and copy commands to be compatible between
native Windows and other platforms.

- Updated the appveyor.yml file to check only the new, smaller, list of
commands.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9910