Summary: | <net-im/ejabberd-2.1.9: Denial of Service (CVE-2011-4320) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Anton Podavalov <a.podavalov> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | evadim, net-im, pva |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.ejabberd.im | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Anton Podavalov
2011-10-07 13:18:44 UTC
rename of the ejabberd ebuild works fine. This is a security issue, see changes: http://www.ejabberd.im/ejabberd-2.1.9 PubSub: Fix Denial of Service when user sends malformed publish stanza (EJAB-1498) I've requested a CVE id. *** Bug 392889 has been marked as a duplicate of this bug. *** New version is in the tree. Arch teams, please, stabilize. =net-im/ejabberd-2.1.9 Target KEYWORDS="amd64 x86" @pva: metadata.warning 1 net-im/ejabberd/metadata.xml: unused local USE-description: 'mod_srl' amd64 stable x86 stable Thanks folks, @security, please proceed to vote. Thanks, everyone. GLSA Vote: yes. CVE-2011-4320 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4320): The mod_pubsub module (mod_pubsub.erl) in ejabberd 2.1.8 and 3.0.0-alpha-3 allows remote authenticated users to cause a denial of service (infinite loop) via a stanza with a publish tag that lacks a node attribute. Votes: Yes. GLSA request filed. This issue was resolved and addressed in GLSA 201206-10 at http://security.gentoo.org/glsa/glsa-201206-10.xml by GLSA coordinator Stefan Behte (craig). |