Bug 19857

Summary: perl-SOAP-Lite new security issue CVE-2015-8978
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/707491/
Whiteboard: advisory MGA5-64-OK
Source RPM: perl-SOAP-Lite-1.110.0-4.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-11-28 20:44:50 CET 
Debian-LTS has issued an advisory on November 25:
https://lwn.net/Alerts/707471/

Debian has a patch.  From the CVE entry, it sounds like the version in Cauldron may be new enough to contain the fix.
Marja Van Waes 2016-11-29 10:02:50 CET

CC: (none) => marja11
Assignee: bugsquad => jquelin

Comment 1 David Walser 2017-07-09 02:27:33 CEST 
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated perl-SOAP-Lite package fixes security vulnerability:

It was discovered that there was a "Billion Laughs" [0] XML expansion
vulnerability in SOAP::Lite (CVE-2015-8978).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8978
https://lwn.net/Alerts/707471/
========================

Updated packages in core/updates_testing:
========================
perl-SOAP-Lite-1.110.0-4.1.mga5

from perl-SOAP-Lite-1.110.0-4.1.mga5.src.rpm

Assignee: jquelin => qa-bugs

Comment 2 Lewis Smith 2017-08-09 10:54:08 CEST 
Testing M5_64

No previous updates for this.
Some applications using it:
 chronicle
 lemonldap-*
 mga-advisories
 perl-*-*
 remotebox
 sympa
chronicle looks the simplest; no man page nor /usr/share/ info, but:
 $ chronicle -h
 $ chronicle --manual
has good information. I tried it by creating a directory 'chronicle' with a few simple text files as prescribed; then
 $ chronicle --input chronicle --output chronicle
and pointing a browser at file://localhost/home/lewis/chronicle/index.html showed the nice result. Alas, stracing it showed no calls to SOAP anything.

BEFORE update: perl-SOAP-Lite-1.110.0-4.mga5
AFTER clean update: perl-SOAP-Lite-1.110.0-4.1.mga5

FWIW chronicle result same before & after, but this is probably meaningless.
Better, I have just added this advisory (OK) which may have exercised it - see mga-advisories above.

OKing & validating.

Whiteboard: (none) => advisory MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 3 Mageia Robot 2017-08-09 12:45:11 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0252.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED