Summary: | <net-im/ejabberd-2.1.8: Denial of Service (CVE-2011-1753) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Federico Cuello <fedux> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alexanderyt, net-im, pva |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Federico Cuello
2011-06-05 22:18:22 UTC
Looks like ejabberd-2.1.8 was released also. http://www.ejabberd.im/ejabberd-2.1.8 The ejabberd 2.1.7 released yesterday contains a bug that breaks PubSub. If you use ejabberd 2.1.7 and PubSub, you can find the patch and the fixed mod_pubsub.beam in the page EJAB-1457. Thank you for report Federico. New version is in the tree. Arch teams, please, stabilize. USE=mod_statsdx seems a bit broken as the upstream filename has changed... Besides that, it looks good here on x86. ewarn "mod_statsdx is not a part of upstream tarball but is a third-party module" ewarn "taken from here: http://www.ejabberd.im/mod_stats2file" - epatch "${WORKDIR}/2.1.1-mod_statsdx.patch" + epatch "${WORKDIR}/ejabberd-mod_statsdx-1080.patch" (In reply to comment #3) > USE=mod_statsdx seems a bit broken as the upstream filename has changed... This is intentional change. I guess file was removed before I've commited ebuild and now I put it on mirrors another time. (In reply to comment #4) > (In reply to comment #3) > > USE=mod_statsdx seems a bit broken as the upstream filename has changed... > > This is intentional change. I guess file was removed before I've commited > ebuild and now I put it on mirrors another time. amd64: ditto x86. emerges fine but for the mod_statsdx. Is the ebuild up for a final adjustment? (In reply to comment #5) > ditto x86. emerges fine but for the mod_statsdx. Guys could you at least show error message or something? (In reply to comment #6) > Guys could you at least show error message or something? >>> Unpacking source... >>> Unpacking ejabberd-2.1.8.tar.gz to /var/tmp/portage/net-im/ejabberd-2.1.8/work >>> Unpacking ejabberd-mod_statsdx-1080.patch.gz to /var/tmp/portage/net-im/ejabberd-2.1.8/work >>> Source unpacked in /var/tmp/portage/net-im/ejabberd-2.1.8/work >>> Preparing source in /var/tmp/portage/net-im/ejabberd-2.1.8/work/ejabberd-2.1.8/src ... * mod_statsdx is not a part of upstream tarball but is a third-party module * taken from here: http://www.ejabberd.im/mod_stats2file * Cannot find $EPATCH_SOURCE! Value for $EPATCH_SOURCE is: * * /var/tmp/portage/net-im/ejabberd-2.1.8/work/2.1.1-mod_statsdx.patch * ( 2.1.1-mod_statsdx.patch ) # ls -l /var/tmp/portage/net-im/ejabberd-2.1.8/work/*.patch -rw-r--r-- 1 root root 69688 Jun 16 06:12 /var/tmp/portage/net-im/ejabberd-2.1.8/work/ejabberd-mod_statsdx-1080.patch Thank you andreas. I forgot to push all changes from overlay... Now everything should be in place. amd64 done x86 stable, thanks Andreas. all arches done Thanks, folks. GLSA Vote: yes. CVE-2011-1753 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1753): expat_erl.c in ejabberd before 2.1.7 and 3.x before 3.0.0-alpha-3, and exmpp before 0.9.7, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. Vote: YES. Added to pending GLSA request. This issue was resolved and addressed in GLSA 201206-10 at http://security.gentoo.org/glsa/glsa-201206-10.xml by GLSA coordinator Stefan Behte (craig). |