Fedora has issued an advisory on March 17: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SMTJ3SJJ22SFLBLPKFADV7NVBH7UFA23/ Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Patches available from FedoraWhiteboard: (none) => MGA8TOO, MGA7TOO
Uncertain maintainers, so assigning globally. CC'ing DavidG who has touched this SRPM relatively recently.
CC: (none) => geiger.david68210Assignee: bugsquad => pkg-bugs
Done for Cauldron, mga8 and mga7!
RPMS: gsoap-2.8.67-2.1.mga7 gsoap-source-2.8.67-2.1.mga7 libgsoap-devel-2.8.104-1.1.mga8 libgsoap2.8.104-2.8.104-1.1.mga8 gsoap-doc-2.8.104-1.1.mga8 gsoap-source-2.8.104-1.1.mga8 from SRPMS: gsoap-2.8.67-2.1.mga7.src.rpm gsoap-2.8.104-1.1.mga8.src.rpm
Status comment: Patches available from Fedora => (none)Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOAssignee: pkg-bugs => qa-bugsVersion: Cauldron => 8
Tackled mga8 first. Looked back for previous updates, and found just 3 bugs that referenced gsoap other than this one. I found Herman Viaene's test in Bug 21298 to be particularly compelling: "No installation issues. System didn't topple over after installation: OK." This update passed that test perfectly. I found another test in Bug 22963 and tried that: $ wsdl2h -s -o calc.h http://www.cs.fsu.edu/~engelen/calc.wsdl Saving calc.h ** The gSOAP WSDL/WADL/XSD processor for C and C++, wsdl2h release 2.8.104 ** Copyright (C) 2000-2020 Robert van Engelen, Genivia Inc. ** All Rights Reserved. This product is provided "as is", without any warranty. ** The wsdl2h tool and its generated software are released under the GPL. ** ---------------------------------------------------------------------------- ** A commercial use license is available from Genivia Inc., contact@genivia.com ** ---------------------------------------------------------------------------- Reading type definitions from type map "/usr/share/gsoap/WS/typemap.dat" Connecting to 'http://www.cs.fsu.edu/~engelen/calc.wsdl' to retrieve WSDL/WADL or XSD... connected, receiving... Done reading 'http://www.cs.fsu.edu/~engelen/calc.wsdl' To finalize code generation, execute: > soapcpp2 calc.h Or to generate C++ proxy and service classes: > soapcpp2 -j calc.h $ soapcpp2 -CL -I/path/to/gsoap/import calc.h ** The gSOAP code generator for C and C++, soapcpp2 release 2.8.104 ** Copyright (C) 2000-2020, Robert van Engelen, Genivia Inc. ** All Rights Reserved. This product is provided "as is", without any warranty. ** The soapcpp2 tool and its generated software are released under the GPL. ** ---------------------------------------------------------------------------- ** A commercial use license is available from Genivia Inc., contact@genivia.com ** ---------------------------------------------------------------------------- Saving soapStub.h annotated copy of the source interface header file Saving soapH.h serialization functions to #include in projects Using ns2 service name: calc Using ns2 service style: document Using ns2 service encoding: literal Using ns2 service location: http://websrv.cs.fsu.edu/~engelen/calcserver.cgi Using ns2 schema namespace: urn:calc Saving calc.add.req.xml sample SOAP/XML request Saving calc.add.res.xml sample SOAP/XML response Saving calc.sub.req.xml sample SOAP/XML request Saving calc.sub.res.xml sample SOAP/XML response Saving calc.mul.req.xml sample SOAP/XML request Saving calc.mul.res.xml sample SOAP/XML response Saving calc.div.req.xml sample SOAP/XML request Saving calc.div.res.xml sample SOAP/XML response Saving calc.pow.req.xml sample SOAP/XML request Saving calc.pow.res.xml sample SOAP/XML response Saving calc.nsmap namespace mapping table Saving soapClient.cpp client call stub functions Saving soapC.cpp serialization functions Compilation successful Appears to bhe OK for mga8.
CC: (none) => andrewsfarmWhiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
Tackled mga7 next. Same 2 tests, same results. OK for mga7. Validating.
Keywords: (none) => validated_updateWhiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK MGA7-64-OKCC: (none) => sysadmin-bugs
Advisory: ======================== Updated gsoap packages fix security vulnerabilities A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability (CVE-2020-13574). A denial-of-service vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability (CVE-2020-13575). A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability (CVE-2020-13576). A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability (CVE-2020-13577). A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability (CVE-2020-13578). References: - https://bugs.mageia.org/show_bug.cgi?id=29015 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13574 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13575 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13576 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13577 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13578 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SMTJ3SJJ22SFLBLPKFADV7NVBH7UFA23/ ======================== Updated packages in 7/core/updates_testing: ======================== gsoap-2.8.67-2.1.mga7 gsoap-source-2.8.67-2.1.mga7 from SRPM: gsoap-2.8.67-2.1.mga7.src.rpm ======================== Updated packages in 8/core/updates_testing: ======================== lib(64)gsoap-devel-2.8.104-1.1.mga8 lib(64)gsoap2.8.104-2.8.104-1.1.mga8 gsoap-doc-2.8.104-1.1.mga8 gsoap-source-2.8.104-1.1.mga8 gsoap-2.8.104-1.1.mga8.src.rpm from SRPM: gsoap-2.8.104-1.1.mga8.src.rpm
CVE: (none) => CVE-2020-1357[4-8]CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0263.html
Status: NEW => RESOLVEDResolution: (none) => FIXED