Bug 19857 - perl-SOAP-Lite new security issue CVE-2015-8978
Summary: perl-SOAP-Lite new security issue CVE-2015-8978
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/707491/
Whiteboard: advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-11-28 20:44 CET by David Walser
Modified: 2017-08-09 12:45 CEST (History)
3 users (show)

See Also:
Source RPM: perl-SOAP-Lite-1.110.0-4.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-11-28 20:44:50 CET
Debian-LTS has issued an advisory on November 25:
https://lwn.net/Alerts/707471/

Debian has a patch.  From the CVE entry, it sounds like the version in Cauldron may be new enough to contain the fix.
Marja van Waes 2016-11-29 10:02:50 CET

Assignee: bugsquad => jquelin
CC: (none) => marja11

Comment 1 David Walser 2017-07-09 02:27:33 CEST
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated perl-SOAP-Lite package fixes security vulnerability:

It was discovered that there was a "Billion Laughs" [0] XML expansion
vulnerability in SOAP::Lite (CVE-2015-8978).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8978
https://lwn.net/Alerts/707471/
========================

Updated packages in core/updates_testing:
========================
perl-SOAP-Lite-1.110.0-4.1.mga5

from perl-SOAP-Lite-1.110.0-4.1.mga5.src.rpm

Assignee: jquelin => qa-bugs

Comment 2 Lewis Smith 2017-08-09 10:54:08 CEST
Testing M5_64

No previous updates for this.
Some applications using it:
 chronicle
 lemonldap-*
 mga-advisories
 perl-*-*
 remotebox
 sympa
chronicle looks the simplest; no man page nor /usr/share/ info, but:
 $ chronicle -h
 $ chronicle --manual
has good information. I tried it by creating a directory 'chronicle' with a few simple text files as prescribed; then
 $ chronicle --input chronicle --output chronicle
and pointing a browser at file://localhost/home/lewis/chronicle/index.html showed the nice result. Alas, stracing it showed no calls to SOAP anything.

BEFORE update: perl-SOAP-Lite-1.110.0-4.mga5
AFTER clean update: perl-SOAP-Lite-1.110.0-4.1.mga5

FWIW chronicle result same before & after, but this is probably meaningless.
Better, I have just added this advisory (OK) which may have exercised it - see mga-advisories above.

OKing & validating.

Whiteboard: (none) => advisory MGA5-64-OK
CC: (none) => lewyssmith, sysadmin-bugs
Keywords: (none) => validated_update

Comment 3 Mageia Robot 2017-08-09 12:45:11 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0252.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.