CVE-2015-8978

NameCVE-2015-8978
DescriptionIn Soap Lite (aka the SOAP::Lite extension for Perl) 1.14 and earlier, an example attack consists of defining 10 or more XML entities, each defined as consisting of 10 of the previous entity, with the document consisting of a single instance of the largest entity, which expands to one billion copies of the first entity. The amount of computer memory used for handling an external SOAP call would likely exceed that available to the process parsing the XML.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-723-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libsoap-lite-perl (PTS)wheezy0.714-1vulnerable
wheezy (security)0.714-1+deb7u1fixed
jessie1.11-1vulnerable
buster, sid, stretch1.20-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libsoap-lite-perlsource(unstable)1.19-1medium
libsoap-lite-perlsourcewheezy0.714-1+deb7u1mediumDLA-723-1

Notes

[jessie] - libsoap-lite-perl <no-dsa> (Minor issue)
https://github.com/redhotpenguin/soaplite/pull/21
https://github.com/redhotpenguin/soaplite/commit/6942fe0d281be1c32c5117605f9c4e8d44f51124

Search for package or bug name: Reporting problems