Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 432936 (CVE-2012-3525)

Summary: <net-im/jabberd2-2.3.1-r1: XMPP dialback domain spoofing (CVE-2012-3525)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: bug, cyberbat83, hasufell, marko.durkovic, net-im
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 314473    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2012-08-27 07:56:43 UTC 
CVE-2012-3525 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3525):
  s2s/out.c in jabberd2 2.2.16 and earlier does not verify that a request was
  made for an XMPP Server Dialback response, which allows remote XMPP servers
  to spoof domains via a (1) Verify Response or (2) Authorization Response.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-08-27 08:03:28 UTC 
jabberd-2.2.17.tar.xz — jabberd 2.2.17 release
1.3MB · Uploaded 20 hours ago

includes the fix
Comment 2 Marcin Mirosław 2012-08-28 08:33:06 UTC 
Should be bug #314473 blocker for this bug?
Comment 3 cyberbat 2013-03-26 06:09:57 UTC 
Near half of year passed from reporting this bug, upstream has released fixed version, but we don't have it in the portage tree. It's really pity :(
Comment 4 Julian Ospald 2013-11-01 21:51:40 UTC 
(In reply to cyberbat from comment #3)
> Near half of year passed from reporting this bug, upstream has released
> fixed version, but we don't have it in the portage tree. It's really pity :(

bumped
Comment 5 Sergey Popov gentoo-dev 2013-12-27 10:33:35 UTC 
2.2.17 is gone from tree, current non-vulnerable version in tree is 2.3.1-r1

@maintainers: is it OK to stable it?
Comment 6 Julian Ospald 2013-12-27 13:26:19 UTC 
yes
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2013-12-30 02:13:16 UTC 
Arches, please test and mark stable:

=net-im/jabberd2-2.3.1-r1

Target Keywords : "amd64 ppc spark x86"
Comment 8 Agostino Sarubbo gentoo-dev 2014-01-03 21:11:46 UTC 
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-01-03 21:16:43 UTC 
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-01-04 12:38:41 UTC 
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-01-06 09:30:37 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Julian Ospald 2014-01-06 14:46:53 UTC 
(In reply to Agostino Sarubbo from comment #11)
> 
> Maintainer(s), please cleanup.

done
Comment 13 Sergey Popov gentoo-dev 2014-02-26 14:41:28 UTC 
Thanks for your work.

GLSA vote: no
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-26 17:29:17 UTC 
GLSA vote: no.

Closing as [noglsa].