Bugzilla – Bug 1011836
VUL-0: CVE-2015-8978: perl-SOAP-Lite: XML exponential entity expansion denial-of-service
Last modified: 2016-12-11 21:21:34 UTC
In Soap Lite (aka the SOAP::Lite extension for Perl) 1.14 and earlier,
an example attack consists of defining 10 or more XML entities, each
defined as consisting of 10 of the previous entity, with the document
consisting of a single instance of the largest entity, which expands to
one billion copies of the first entity. The amount of computer memory
used for handling an external SOAP call would likely exceed that
available to the process parsing the XML.
This needs to be fixed in openSUSE:Leap:42.1 and 42.2.
The SDKs for 11-SP4 and 12-SP2 are also affected.
bugbot adjusting priority
(In reply to Alexander Bergmann from comment #0)
> In Soap Lite (aka the SOAP::Lite extension for Perl) 1.14 and earlier,
(In reply to Alexander Bergmann from comment #1)
> This needs to be fixed in openSUSE:Leap:42.1 and 42.2.
> The SDKs for 11-SP4 and 12-SP2 are also affected.
Given we have version 1.20 in Tumbleweed and 42.2 and version 1.19 in 42.1 and 12sp2, I tend to believe only 11 is affected (code applies there).
SUSE-SU-2016:3052-1: An update that fixes one vulnerability is now available.
Category: security (moderate)
Bug References: 1011836
CVE References: CVE-2015-8978
SUSE Linux Enterprise Software Development Kit 11-SP4 (src): perl-SOAP-Lite-0.710.08-3.1