SOAPpy 0.12.5 does not properly detect recursion during entity expansion,
which allows remote attackers to cause a denial of service (memory and CPU
consumption) via a crafted SOAP request containing a large number of nested
SOAPpy 0.12.5 allows remote attackers to read arbitrary files via a SOAP
request containing an external entity declaration in conjunction with an
entity reference, related to an XML External Entity (XXE) issue.
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: firstname.lastname@example.org.
please ping us when this changes
> This was fixed upstream in 0.12.6, via the following commit:
> Note that the fix was changed by the subsequent commit to fix the billion
> laughs issue:
$ git tag --contains 64125a2 | sort
please test and mark stable: =dev-python/soappy-0.12.22
Stable on alpha.
An automated check of this bug failed - repoman reported dependency errors (67 lines truncated):
> dependency.bad dev-python/soappy/soappy-0.12.22.ebuild: DEPEND: ia64(default/linux/ia64/13.0) ['dev-python/defusedxml[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
> dependency.bad dev-python/soappy/soappy-0.12.22.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['dev-python/defusedxml[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
> dependency.bad dev-python/soappy/soappy-0.12.22.ebuild: DEPEND: ia64(default/linux/ia64/13.0/desktop) ['dev-python/defusedxml[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
Stable for HPPA.
Maintainer(s), please cleanup.
Security, please vote.
Author: David Seifert <email@example.com>
Date: Wed Jan 18 11:15:07 2017 +0100
dev-python/soappy: Remove old vulnerable versions
GLSA Vote: No