Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 217234

Summary: net-im/openfire <3.5.0 Denial of Service (CVE-2008-1728)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: humpback, net-im
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/29751/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-04-10 23:23:54 UTC 
Secunia:

DESCRIPTION:
A vulnerability has been reported in Openfire, which can be exploited
by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error and can be
exploited to cause a DoS.

The vulnerability is reported in version 3.4.5. Other versions may
also be affected.

SOLUTION:
Update to version 3.5.0.

ORIGINAL ADVISORY:
http://www.igniterealtime.org/issues/browse/JM-1289
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-04-10 23:24:26 UTC 
3.5.0 is already in the tree, good to go stable?
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-04-12 16:56:27 UTC 
Vulnerability: It cannot handle clients that fail to read 
messages, and has no limit on their session's send buffer.

http://www.igniterealtime.org/fisheye/changelog/svn-org?cs=10031
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-04-14 02:11:33 UTC 
net-irc/humpback, is 3.5.0_rc1 good to go stable?
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-04-15 22:57:58 UTC 
Arches, please test and mark stable:
=net-im/openfire-3.5.0
Target keywords : "amd64 release x86"
Comment 5 Markus Meier gentoo-dev 2008-04-17 01:01:09 UTC 
amd64/x86 stable, last arches.
Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-17 10:36:21 UTC 
ready for GLSA vote

/me votes yes
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2008-04-17 20:08:44 UTC 
Voting YES as well and filing request.
Comment 8 Peter Volkov (RETIRED) gentoo-dev 2008-04-21 08:09:13 UTC 
Fixed in release snapshot.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-04-23 16:38:05 UTC 
GLSA 200804-26