Bug 308047 (CVE-2010-0305)

Summary:	<net-im/ejabberd-2.1.3: Denial of Service Vulnerability (CVE-2010-0305)
Product:	Gentoo Security	Reporter:	Stefan Behte (RETIRED) <craig>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	antoni, caleb, hanno, net-im
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://support.process-one.net/browse/EJAB-1173
Whiteboard:	B3 [glsa]
Package list:		Runtime testing required:	---
Bug Depends on:	281366, 327605
Bug Blocks:

Description Stefan Behte (RETIRED) gentoo-dev

2010-03-06 15:35:17 UTC

CVE-2010-0305 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0305):
  ejabberd_c2s.erl in ejabberd before 2.1.3 allows remote attackers to
  cause a denial of service (daemon crash) via a large number of c2s
  (aka client2server) messages that trigger a queue overload.

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2010-03-06 16:53:45 UTC

*** Bug 303016 has been marked as a duplicate of this bug. ***

Comment 2 Alex Legler (RETIRED) archtester

2010-03-07 09:10:31 UTC

Rerating B3 for DoS.

Comment 3 Antek Grzymała (antoszka) 2010-03-10 09:50:32 UTC

Can't see a 2.1.3 release. Does that mean that it's only a planned release, and currently the code is fixed only in git currently? This will probably need some bumping in http://bugs.gentoo.org/show_bug.cgi?id=281366

Comment 4 Stefan Behte (RETIRED) gentoo-dev

2010-03-18 00:12:51 UTC

Patch: https://support.process-one.net/browse/EJAB-1173;jsessionid=CC9A1D875A20197DD4571444DA8C1EFB?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel

https://support.process-one.net/browse/EJAB-1173 says:
Affects Version/s:  	 ejabberd 2.1.2
Fix Version/s: 	         ejabberd 2.1.3

And we got:
http://www.ejabberd.im/ejabberd-2.1.3


Please provide an updated ebuild.

Comment 5 Joshua Wright 2010-03-18 09:15:19 UTC

Hi Guys,

Is there any chance that this would be marked stable soon?

Thank you,

Comment 6 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev

2010-04-10 14:18:20 UTC

We should bump to 2.1.3 ASAP, bug 281366.

Comment 7 Peter Volkov (RETIRED) gentoo-dev

2010-06-21 08:02:53 UTC

Ok, I've bumped and just unmasked 2.1.4 in tree. A week from now if nothing pops up it'll be ok to start stabilization.

Comment 8 Peter Volkov (RETIRED) gentoo-dev

2010-07-01 13:35:55 UTC

arch teams, please, stabilize net-im/ejabberd-2.1.4.

Comment 9 Dane Smith (RETIRED) gentoo-dev

2010-07-01 13:46:16 UTC

x86: Just a heads up, this is dependent on the ~x86 package shadow-4.1.4.2-r3.

Comment 10 Dane Smith (RETIRED) gentoo-dev

2010-07-01 14:28:58 UTC

x86: Compiles fine. No errors on running. I *think* its running alright, but I don't know a ton about jabber.

Comment 11 Christian Faulhammer (RETIRED) gentoo-dev

2010-07-03 08:09:17 UTC

stable x86, thanks Dane

Comment 12 SpanKY gentoo-dev

2010-07-10 00:47:42 UTC

shadow-4.1.4.2-r3 has a small regression that no one noticed until it went stable.  ive added shadow-4.1.4.2-r4 with the small fix.

Comment 13 Christian Faulhammer (RETIRED) gentoo-dev

2010-07-10 15:35:15 UTC

x86 done again

Comment 14 Markos Chandras (RETIRED) gentoo-dev

2010-07-12 17:34:51 UTC

amd64 done

Comment 15 Stefan Behte (RETIRED) gentoo-dev

2010-08-01 12:27:19 UTC

Vote: no.

Comment 16 Tobias Heinlein (RETIRED) gentoo-dev

2010-08-14 14:43:11 UTC

I vote YES here.

Comment 17 Tim Sammut (RETIRED) gentoo-dev

2010-11-18 20:50:18 UTC

GLSA Vote: Yes, request filed.

Comment 18 GLSAMaker/CVETool Bot gentoo-dev

2012-06-21 18:20:23 UTC

This issue was resolved and addressed in
 GLSA 201206-10 at http://security.gentoo.org/glsa/glsa-201206-10.xml
by GLSA coordinator Stefan Behte (craig).