A security issue in gsoap has been reported: http://openwall.com/lists/oss-security/2017/07/19/7 There is apparently a fix upstream. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
CC: (none) => anaselli
can we update to the last version eventually? i should find the time tonight... then i'm going on holiday...
To fix this I think we need to update to the latest version *and* pull patches from upstream SVN (as I think I read that they haven't yet made a release with the fixes).
gsoap_2.8.49.zip has been released the 11t of July, and seems after the r119 commit
Latest changlog says: Version 2.8.49 (07/10/2017) {#latest} --- - Improved JSON API to compile with XML data bindings, see updated JSON API documentation on "Compiling XML-RPC/JSON together with gSOAP XML data binding code" - Improved white space handling of built-in XSD types that have "replace" and "collapse" white space properties. Further, types derived from these built-in XSD types will now inherit the white space "replace" or "collapse" property, meaning that white space of inbound strings are normalized (`xsd__anyURI`, `xsd__language` `xsd__ENTITY`, `xsd__ENTITIES`, `xsd__ID`, `xsd__IDREF`, `xsd__IDREFS`, `xsd__Name`, `xsd__NCName`, `xsd__NMTOKEN`, `xsd__NMTOKENS`, `xsd__normalizedString`, `xsd__token`, etc). - Fixed a memory leak in the deserializer of `std::vector<xsd__anyType>` (and dynamic arrays of `xsd__anyType`) where `xsd__anyType` is a DOM node imported with `#import "dom.h"`. - Fixed WSSE plugin recanonicalization of inclusive C14N SignedInfo. - Fixes for minor issues, improvements.
Oh good, so hopefully we can just update it.
i committed it in cauldron, but i cannot do anything else by now I'm going on holiday, sorry.
(In reply to Angelo Naselli from comment #6) > i committed it in cauldron, but i cannot do anything else by now I'm going > on holiday, sorry. No problem, assigning to all packagers collectively, then.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
gsoap-2.8.49-1.mga7 uploaded for Cauldron.
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6
Updated packages uploaded for Mageia 5 and Mageia 6. Advisory: ======================== Updated gsoap packages fix security vulnerability: A potential vulnerability to a large and specific XML message over 2GB in size (greater than 2147483711 bytes to trigger the software bug). A buffer overflow can cause an open unsecured server to crash or malfunction after 2GB is received (CVE-2017-9765). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9765 http://openwall.com/lists/oss-security/2017/07/19/7 ======================== Updated packages in core/updates_testing: ======================== gsoap-2.8.49-1.mga5 gsoap-source-2.8.49-1.mga5 gsoap-2.8.49-1.mga6 gsoap-source-2.8.49-1.mga6 from SRPMS: gsoap-2.8.49-1.mga5.src.rpm gsoap-2.8.49-1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugs
Not on the mga6 mirrors yet? maga5 has them.
CC: (none) => tarazed25
gSOAP is a toolkit used in the development of SOAP web services and clients. It provides a binding for C++ from SOAP applications. I have not been able to find examples so we shall have to label this as too obscure to test and simply install it. If anyone has any other ideas please speak up. Claire's idea about differencing the sources to confirm that the patch(es) is/are in place might be considered. For the time being just updating the two packages from 2.8.18-3 to 2.8.49-1. mga5 Clean install on x86_64 real hardware.
Summary: gosap new security issue CVE-2017-9765 => gsoap new security issue CVE-2017-9765
MGA5-32 on Asus A6000VM Xfce No installation issues. System didn't topple over after installation: OK. There are examples of its use in the tutorial at https://www.genivia.com/examples/calc/index.html, but that's out of my league.
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
Re comment 12. Quite right Herman; we are not in the business of building applications to test development libraries. Code snippets we can cope with, if we know the language, but webkits and server applications are out of scope.
Trying M5 x64 No previous updates for this. Installed from current repos: gsoap-2.8.18-3.mga5 gsoap-source-2.8.18-3.mga5 Via MCC-Update system, from Updates Testing updated these to: gsoap-2.8.49-1.mga5 gsoap-source-2.8.49-1.mga5 No problems en route. In the light of earlier comments, OKing this. Need to do similarly for Mageia 6 x64.
CC: (none) => lewyssmithWhiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK advisory MGA5-64-OK
(In reply to Len Lawrence from comment #10) > Not on the mga6 mirrors yet? > maga5 has them. I cannot find these pkgs for Mageia 6 either.
(In reply to Lewis Smith from comment #15) > (In reply to Len Lawrence from comment #10) > > Not on the mga6 mirrors yet? > > maga5 has them. > I cannot find these pkgs for Mageia 6 either. I see them on e.g. ftp.free.fr: http://ftp.free.fr/mirrors/mageia.org/distrib/6/x86_64/media/core/updates_testing/ It could be that you are both using mirrors which are slightly out of date (ftp.free.fr itself only got properly updated a few hours ago). I do the same test as in comment 14 on Mageia 6 x86_64, works fine.
Whiteboard: MGA5TOO MGA5-32-OK advisory MGA5-64-OK => advisory MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK
Many thanks Rémi. I take it you did a 'clean update'; before & after versions would have been nice (for the future, not here). My normal mirror is 'coffee', well reputed. I wonder whether my problem is the following path: /etc/urpmi/mediacfg.d/Devel-6-x86_64/media.cfg ~~~~~~~~~~~~~~~ /etc/urpmi/mediacfg.d/ has no other sub-directory. The file has, however: [media_info] version=6 mediacfg_version=2 branch=Official ... [core/release] hdlist=hdlist_core_release.cz media_type=official:free:release ... and /etc/product.id vendor=Mageia.Org,distribution=Mageia,type=Basic,version=6,branch=Official,release=6,arch=x86_64,product=Default As we are heavily burdened, I am validating this. Advisory already done.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0221.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED