Summary: | <net-im/openfire-3.9.2-r1: XML Decompression Denial of Service Vulnerability (CVE-2014-2741) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | flow, net-im, slyfox |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/57704/ | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-04-09 14:03:47 UTC
Bumped as =net-im/openfire-3.9.2-r1 ready to stable on amd64 x86 Release announce: http://community.igniterealtime.org/blogs/ignite/2014/04/30/openfire-392-has-been-released With vuln fixed: http://issues.igniterealtime.org/browse/OF-770 Arches, please test and mark stable: =net-im/openfire-3.9.2-r1 target KEYWORDS="amd64 x86" amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. GLSA vote: Yes, with bug 266129. Maintainer(s), please drop the vulnerable version. GLSA Vote: Yes Created a New GLSA request. (In reply to Yury German from comment #6) > Maintainer(s), please drop the vulnerable version. Dropped: > 10 Jun 2014; Sergei Trofimovich <slyfox@gentoo.org> -files/buildxml.patch, > -files/openfire-3.7.1-buildxml-jdk7.patch, -openfire-3.6.1.ebuild, > -openfire-3.6.3.ebuild, -openfire-3.6.4.ebuild, -openfire-3.7.0.ebuild, > -openfire-3.7.1-r1.ebuild, -openfire-3.8.1.ebuild, -openfire-3.8.2-r1.ebuild, > -openfire-3.8.2.ebuild, -openfire-3.9.1.ebuild: > Drop old vulnerable version (security bug #507242). CVE-2014-2741 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2741): nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack. Maintainer(s), Thank you for cleanup! This issue was resolved and addressed in GLSA 201406-35 at http://security.gentoo.org/glsa/glsa-201406-35.xml by GLSA coordinator Mikle Kolyada (Zlogene). |