Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 386075 (CVE-2011-4320)

Summary: <net-im/ejabberd-2.1.9: Denial of Service (CVE-2011-4320)
Product: Gentoo Security Reporter: Anton Podavalov <a.podavalov>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: evadim, net-im, pva
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.ejabberd.im
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Anton Podavalov 2011-10-07 13:18:44 UTC
The new version of the ejabberd has been released.

Reproducible: Always
Comment 1 Vadim Efimov 2011-10-09 15:31:11 UTC
rename of the ejabberd ebuild works fine.
Comment 2 Hanno Böck gentoo-dev 2011-11-19 11:24:28 UTC
This is a security issue, see changes:
http://www.ejabberd.im/ejabberd-2.1.9
PubSub: Fix Denial of Service when user sends malformed publish stanza (EJAB-1498)

I've requested a CVE id.
Comment 3 Agostino Sarubbo gentoo-dev 2011-12-02 15:22:38 UTC
*** Bug 392889 has been marked as a duplicate of this bug. ***
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2011-12-17 03:28:22 UTC
New version is in the tree. Arch teams, please, stabilize.
=net-im/ejabberd-2.1.9
Target KEYWORDS="amd64 x86"
Comment 5 Agostino Sarubbo gentoo-dev 2011-12-17 15:39:38 UTC
@pva:
metadata.warning              1
   net-im/ejabberd/metadata.xml: unused local USE-description: 'mod_srl'

amd64 stable
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-12-21 08:49:06 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2011-12-21 09:15:18 UTC
Thanks folks, 

@security, please proceed to vote.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-12-21 14:13:39 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 01:29:15 UTC
CVE-2011-4320 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4320):
  The mod_pubsub module (mod_pubsub.erl) in ejabberd 2.1.8 and 3.0.0-alpha-3
  allows remote authenticated users to cause a denial of service (infinite
  loop) via a stanza with a publish tag that lacks a node attribute.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2012-03-06 01:03:57 UTC
Votes: Yes. GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 18:20:32 UTC
This issue was resolved and addressed in
 GLSA 201206-10 at http://security.gentoo.org/glsa/glsa-201206-10.xml
by GLSA coordinator Stefan Behte (craig).