CVE-2014-3243 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3243): SOAPpy 0.12.5 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted SOAP request containing a large number of nested entity references. CVE-2014-3242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3242): SOAPpy 0.12.5 allows remote attackers to read arbitrary files via a SOAP request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Solution: Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com. please ping us when this changes
From https://bugzilla.redhat.com/show_bug.cgi?id=1094619#c8: > This was fixed upstream in 0.12.6, via the following commit: > > https://github.com/kiorky/SOAPpy/commit/a386568 > > Note that the fix was changed by the subsequent commit to fix the billion > laughs issue: > > https://github.com/kiorky/SOAPpy/commit/64125a2 $ git tag --contains 64125a2 | sort 0.12.20 @ Arches, please test and mark stable: =dev-python/soappy-0.12.22
amd64 stable
x86 stable
Stable on alpha.
arm stable
An automated check of this bug failed - repoman reported dependency errors (67 lines truncated): > dependency.bad dev-python/soappy/soappy-0.12.22.ebuild: DEPEND: ia64(default/linux/ia64/13.0) ['dev-python/defusedxml[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]'] > dependency.bad dev-python/soappy/soappy-0.12.22.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['dev-python/defusedxml[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]'] > dependency.bad dev-python/soappy/soappy-0.12.22.ebuild: DEPEND: ia64(default/linux/ia64/13.0/desktop) ['dev-python/defusedxml[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
sparc stable
Stable for HPPA.
ppc stable
ia64 stable
ppc64 stable. Maintainer(s), please cleanup. Security, please vote.
commit 60ffdd915ad1f1a68d5b3622d62ddb8b60627083 Author: David Seifert <soap@gentoo.org> Date: Wed Jan 18 11:15:07 2017 +0100 dev-python/soappy: Remove old vulnerable versions Gentoo-bug: 534546
GLSA Vote: No