CVE-2015-8978

NameCVE-2015-8978
DescriptionIn Soap Lite (aka the SOAP::Lite extension for Perl) 1.14 and earlier, an example attack consists of defining 10 or more XML entities, each defined as consisting of 10 of the previous entity, with the document consisting of a single instance of the largest entity, which expands to one billion copies of the first entity. The amount of computer memory used for handling an external SOAP call would likely exceed that available to the process parsing the XML.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-723-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libsoap-lite-perl (PTS)buster, bullseye1.27-1fixed
sid, trixie, bookworm1.27-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libsoap-lite-perlsourcewheezy0.714-1+deb7u1DLA-723-1
libsoap-lite-perlsource(unstable)1.19-1

Notes

[jessie] - libsoap-lite-perl <no-dsa> (Minor issue)
https://github.com/redhotpenguin/soaplite/pull/21
https://github.com/redhotpenguin/soaplite/commit/6942fe0d281be1c32c5117605f9c4e8d44f51124
Search for package or bug name: Reporting problems