Fedora has issued an advisory on April 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EYAKGIZPFCSL2VNLNZ4DZ6RJI6DBGXCH/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => anaselli
which was the package policy here? i seem to recall we updated with last version in past.... Is mga5 supported yet?
Status: NEW => ASSIGNED
Fedora just patched the same version we have. I would just borrow from them. You don't need to update this for Mageia 5. You can if you think it's important, but nothing requires it.
iirc we ship only a static version of the library that means that all we've built against and use DIME is affected either we update or not... just to be clear
Ahh, then we should probably rebuild stuff.
I submitted the patch for 6, i will upgrade to the last version cauldron instead.
Package updated for mga 6 (cauldron is upgraded to new version) Suggested advisory: ======================== This update contains a patch that fixes a critical issue with the DIME protocol receiver that may cause the receiver to become unresponsive when a malformed DIME protocol message is received. Reference https://www.genivia.com/advisory.html Updated packages in core/updates_testing: ======================== gsoap-2.8.66-1.mga6 gsoap-source-2.8.66-1.mga6 Source RPM: gsoap-2.8.66-1.mga6.src.rpm
Assignee: anaselli => qa-bugs
Angelo, what about rebuilding the packages that incorporate gsoap?
CC: (none) => anaselli
David honestly, i don't know which ones use it. Once Virtualbox was dependent using SOAP protocol. If you have a list i could help.
The Fedora link in c0 just points to that in c7 - which indicates a 1-line change (deletion).. No CVE (yet), no PoC. The application is esoteric. /usr/share/doc/gsoap/ README.txt & NOTES.txt have useful basic info. I think the 'import' directory referred to in the example commands: $ wsdl2h -s -o calc.h http://www.cs.fsu.edu/~engelen/calc.wsdl $ soapcpp2 -CL -I/path/to/gsoap/import calc.h is /usr/share/gsoap/import. Testing M6 x64. BEFORE update: gsoap-2.8.49-1.mga6.x86_64.rpm $ wsdl2h -s -o calc.h http://www.cs.fsu.edu/~engelen/calc.wsdl Saving calc.h ** The gSOAP WSDL/WADL/XSD processor for C and C++, wsdl2h release 2.8.49 ** Copyright (C) 2000-2017 Robert van Engelen, Genivia Inc. ** All Rights Reserved. This product is provided "as is", without any warranty. ** The wsdl2h tool and its generated software are released under the GPL. ** ---------------------------------------------------------------------------- ** A commercial use license is available from Genivia Inc., contact@genivia.com ** ---------------------------------------------------------------------------- Reading type definitions from type map "/usr/share/gsoap/WS/typemap.dat" Connecting to 'http://www.cs.fsu.edu/~engelen/calc.wsdl' to retrieve WSDL/WADL or XSD... connected, receiving... Done reading 'http://www.cs.fsu.edu/~engelen/calc.wsdl' To finalize code generation, execute: > soapcpp2 calc.h Or to generate C++ proxy and service classes: > soapcpp2 -j calc.h $ soapcpp2 -CL -I/usr/share/gsoap/import calc.h ** The gSOAP code generator for C and C++, soapcpp2 release 2.8.49 ** Copyright (C) 2000-2017, Robert van Engelen, Genivia Inc. ** All Rights Reserved. This product is provided "as is", without any warranty. ** The soapcpp2 tool and its generated software are released under the GPL. ** ---------------------------------------------------------------------------- ** A commercial use license is available from Genivia Inc., contact@genivia.com ** ---------------------------------------------------------------------------- Saving soapStub.h annotated copy of the source interface file Saving soapH.h serialization functions to #include in projects Using ns2 service name: calc Using ns2 service style: document Using ns2 service encoding: literal Using ns2 service location: http://websrv.cs.fsu.edu/~engelen/calcserver.cgi Using ns2 schema namespace: urn:calc Saving calc.add.req.xml sample SOAP/XML request Saving calc.add.res.xml sample SOAP/XML response Saving calc.sub.req.xml sample SOAP/XML request Saving calc.sub.res.xml sample SOAP/XML response Saving calc.mul.req.xml sample SOAP/XML request Saving calc.mul.res.xml sample SOAP/XML response Saving calc.div.req.xml sample SOAP/XML request Saving calc.div.res.xml sample SOAP/XML response Saving calc.pow.req.xml sample SOAP/XML request Saving calc.pow.res.xml sample SOAP/XML response Saving calc.nsmap namespace mapping table Saving soapClient.cpp client call stub functions Saving soapC.cpp serialization functions Compilation successful --------------------------------------------- AFTER update to: gsoap-2.8.49-1.1.mga6.x86_64 *THE VERSION NUMBER IS NOT RIGHT RE C7* Re-running the test anyway. Output was identical to before, including 'release 2.8.49'. Is this intended? If so, this test warrants OK. Asking for feedback re the version number.
Keywords: (none) => feedback
The correct package list for the Mageia 6 update is: gsoap-2.8.49-1.1.mga6 gsoap-source-2.8.49-1.1.mga6 from gsoap-2.8.49-1.1.mga6.src.rpm The only package I can find that BuildRequires' gsoap is VirtualBox (which uses it for the VirtualBox web service). That was only added as a BR in VirtualBox 2-3 years ago IIRC. Why did we have gsoap packaged before that? Why was it ever imported in the first place? So we already have another bug for a VirtualBox update which hasn't been built yet, so when it is it will incorporate this update, so we're good there.
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6Keywords: feedback => (none)
David i can't get it sorry. I imported gsoap years ago (i can't remeber well maybe in mandrova), because i needed for my job, and i maintained it also. I think VirtualBox needed it later.
Ok thanks. Nothing to be sorry for. Thanks for doing the update.
MGA6-32 on Dell Latitude D600 MATE No installation issues. Followed Comment 10 and got: $ wsdl2h -s -o calc.h http://www.cs.fsu.edu/~engelen/calc.wsdl Saving calc.h ** The gSOAP WSDL/WADL/XSD processor for C and C++, wsdl2h release 2.8.49 ** Copyright (C) 2000-2017 Robert van Engelen, Genivia Inc. ** All Rights Reserved. This product is provided "as is", without any warranty. ** The wsdl2h tool and its generated software are released under the GPL. ** ---------------------------------------------------------------------------- ** A commercial use license is available from Genivia Inc., contact@genivia.com ** ---------------------------------------------------------------------------- Reading type definitions from type map "/usr/share/gsoap/WS/typemap.dat" Connecting to 'http://www.cs.fsu.edu/~engelen/calc.wsdl' to retrieve WSDL/WADL or XSD... connected, receiving... Done reading 'http://www.cs.fsu.edu/~engelen/calc.wsdl' To finalize code generation, execute: > soapcpp2 calc.h Or to generate C++ proxy and service classes: > soapcpp2 -j calc.h Choose first option and get $ soapcpp2 calc.h ** The gSOAP code generator for C and C++, soapcpp2 release 2.8.49 ** Copyright (C) 2000-2017, Robert van Engelen, Genivia Inc. ** All Rights Reserved. This product is provided "as is", without any warranty. ** The soapcpp2 tool and its generated software are released under the GPL. ** ---------------------------------------------------------------------------- ** A commercial use license is available from Genivia Inc., contact@genivia.com ** ---------------------------------------------------------------------------- Saving soapStub.h annotated copy of the source interface file Saving soapH.h serialization functions to #include in projects Using ns2 service name: calc Using ns2 service style: document Using ns2 service encoding: literal Using ns2 service location: http://websrv.cs.fsu.edu/~engelen/calcserver.cgi Using ns2 schema namespace: urn:calc Saving calc.add.req.xml sample SOAP/XML request Saving calc.add.res.xml sample SOAP/XML response Saving calc.sub.req.xml sample SOAP/XML request Saving calc.sub.res.xml sample SOAP/XML response Saving calc.mul.req.xml sample SOAP/XML request Saving calc.mul.res.xml sample SOAP/XML response Saving calc.div.req.xml sample SOAP/XML request Saving calc.div.res.xml sample SOAP/XML response Saving calc.pow.req.xml sample SOAP/XML request Saving calc.pow.res.xml sample SOAP/XML response Saving calc.nsmap namespace mapping table Saving soapClient.cpp client call stub functions Saving soapClientLib.cpp client stubs with serializers (use only for libs) Saving soapServer.cpp server request dispatcher Saving soapServerLib.cpp server request dispatcher with serializers (use only for libs) Saving soapC.cpp serialization functions Compilation successful Looks OK, and second command also reports Compilation successful
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
(In reply to David Walser from comment #11) > The correct package list for the Mageia 6 update is: > gsoap-2.8.49-1.1.mga6 > gsoap-source-2.8.49-1.1.mga6 > from gsoap-2.8.49-1.1.mga6.src.rpm So the test comment 10 was valid. OKing, validating. Advisory from comments 7 & 11.
Keywords: (none) => advisory, validated_updateWhiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0221.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED