can we update to the last version eventually? i should find the time tonight... then i'm going on holiday...

To fix this I think we need to update to the latest version *and* pull patches from upstream SVN (as I think I read that they haven't yet made a release with the fixes).

gsoap_2.8.49.zip has been released the 11t of July, and seems after the r119 commit

Latest changlog says:
Version 2.8.49 (07/10/2017) {#latest}
---

- Improved JSON API to compile with XML data bindings, see updated JSON API documentation on "Compiling XML-RPC/JSON together with gSOAP XML data binding code"
- Improved white space handling of built-in XSD types that have "replace" and "collapse" white space properties. Further, types derived from these built-in XSD types will now inherit the white space "replace" or "collapse" property, meaning that white space of inbound strings are normalized (`xsd__anyURI`, `xsd__language` `xsd__ENTITY`, `xsd__ENTITIES`, `xsd__ID`, `xsd__IDREF`, `xsd__IDREFS`, `xsd__Name`, `xsd__NCName`, `xsd__NMTOKEN`, `xsd__NMTOKENS`, `xsd__normalizedString`, `xsd__token`, etc).
- Fixed a memory leak in the deserializer of `std::vector<xsd__anyType>` (and dynamic arrays of `xsd__anyType`) where `xsd__anyType` is a DOM node imported with `#import "dom.h"`.
- Fixed WSSE plugin recanonicalization of inclusive C14N SignedInfo.
- Fixes for minor issues, improvements.

Oh good, so hopefully we can just update it.

i committed it in cauldron, but i cannot do anything else by now I'm going on holiday, sorry.

(In reply to Angelo Naselli from comment #6)
> i committed it in cauldron, but i cannot do anything else by now I'm going
> on holiday, sorry.

No problem, assigning to all packagers collectively, then.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

gsoap-2.8.49-1.mga7 uploaded for Cauldron.

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6

Updated packages uploaded for Mageia 5 and Mageia 6.

Advisory:
========================

Updated gsoap packages fix security vulnerability:

A potential vulnerability to a large and specific XML message over 2GB in size
(greater than 2147483711 bytes to trigger the software bug). A buffer overflow
can cause an open unsecured server to crash or malfunction after 2GB is
received (CVE-2017-9765).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9765
http://openwall.com/lists/oss-security/2017/07/19/7
========================

Updated packages in core/updates_testing:
========================
gsoap-2.8.49-1.mga5
gsoap-source-2.8.49-1.mga5
gsoap-2.8.49-1.mga6
gsoap-source-2.8.49-1.mga6

from SRPMS:
gsoap-2.8.49-1.mga5.src.rpm
gsoap-2.8.49-1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs

Not on the mga6 mirrors yet?
maga5 has them.

CC: (none) => tarazed25

gSOAP is a toolkit used in the development of SOAP web services and clients.  It provides a binding for C++ from SOAP applications.  I have not been able to find examples so we shall have to label this as too obscure to test and simply install it.  If anyone has any other ideas please speak up.

Claire's idea about differencing the sources to confirm that the patch(es) is/are in place might be considered.

For the time being just updating the two packages from 2.8.18-3 to 2.8.49-1.

mga5  
Clean install on x86_64 real hardware.

MGA5-32 on Asus A6000VM Xfce
No installation issues.
System didn't topple over after installation: OK.

There are examples of its use in the tutorial at https://www.genivia.com/examples/calc/index.html, but that's out of my league.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Re comment 12.
Quite right Herman; we are not in the business of building applications to test development libraries.  Code snippets we can cope with, if we know the language, but webkits and server applications are out of scope.

Trying M5 x64

No previous updates for this. Installed from current repos:
 gsoap-2.8.18-3.mga5
 gsoap-source-2.8.18-3.mga5

Via MCC-Update system, from Updates Testing updated these to:
 gsoap-2.8.49-1.mga5
 gsoap-source-2.8.49-1.mga5
No problems en route. In the light of earlier comments, OKing this.

Need to do similarly for Mageia 6 x64.

CC: (none) => lewyssmith
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK advisory MGA5-64-OK

(In reply to Len Lawrence from comment #10)
> Not on the mga6 mirrors yet?
> maga5 has them.
I cannot find these pkgs for Mageia 6 either.

(In reply to Lewis Smith from comment #15)
> (In reply to Len Lawrence from comment #10)
> > Not on the mga6 mirrors yet?
> > maga5 has them.
> I cannot find these pkgs for Mageia 6 either.

I see them on e.g. ftp.free.fr: http://ftp.free.fr/mirrors/mageia.org/distrib/6/x86_64/media/core/updates_testing/

It could be that you are both using mirrors which are slightly out of date (ftp.free.fr itself only got properly updated a few hours ago).

I do the same test as in comment 14 on Mageia 6 x86_64, works fine.

Whiteboard: MGA5TOO MGA5-32-OK advisory MGA5-64-OK => advisory MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK

Many thanks Rémi. I take it you did a 'clean update'; before & after versions would have been nice (for the future, not here).

My normal mirror is 'coffee', well reputed. I wonder whether my problem is the following path:
 /etc/urpmi/mediacfg.d/Devel-6-x86_64/media.cfg
                      ~~~~~~~~~~~~~~~
/etc/urpmi/mediacfg.d/ has no other sub-directory. The file has, however:
 [media_info]
 version=6
 mediacfg_version=2
 branch=Official
 ...
 [core/release]
 hdlist=hdlist_core_release.cz
 media_type=official:free:release
 ...

and /etc/product.id
vendor=Mageia.Org,distribution=Mageia,type=Basic,version=6,branch=Official,release=6,arch=x86_64,product=Default

As we are heavily burdened, I am validating this. Advisory already done.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0221.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED