| Summary: | <net-im/prosody-0.9.4: XML Decompression Denial of Service Vulnerability (CVE-2014-{2744,2745}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | alexander, klausman, rafaelmartins, zx2c4 |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://secunia.com/advisories/57749/ | ||
| Whiteboard: | B3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 507078, 511532 | ||
| Bug Blocks: | |||
CVE-2014-2744 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2744): plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack. CVE-2014-2745 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2745): Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack, related to core/portmanager.lua and util/xmppstream.lua. CVE-2014-2745 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2745): Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack, related to core/portmanager.lua and util/xmppstream.lua. CVE-2014-2744 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2744): plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack. It may appear different, but this is only 2 CVEs, not 4. +*prosody-0.9.4 (16 Apr 2014) + + 16 Apr 2014; Jason A. Donenfeld <zx2c4@gentoo.org> +prosody-0.9.4.ebuild: + Version bump. + +*luaexpat-1.3.0 (17 Apr 2014) + + 17 Apr 2014; Jason A. Donenfeld <zx2c4@gentoo.org> +luaexpat-1.3.0.ebuild: + Version bump for prosody. + Maintainers, please advise when eBuilds have had enough testing, and are ready for stabilization. Also a question no ~hppa ebuild for luaexpat? Just making sure. Maintainers: ping Please stabilize: =net-im/prosody-0.9.7 Targets: amd64 arm x86 It has been in the tree for 30 days without open bugs. Adding arches for stabilization. amd64 done. x86 done. arm stable, all arches done. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). First GLSA Vote: No GLSA vote: no. |
From ${URL} : Description A vulnerability has been reported in Prosody, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when handling compressed streams and can be exploited to exhaust system resources via a specially crafted XML passed over XMPP streams. Successful exploitation requires that the mod_compression module is enabled (disabled by default). The vulnerability is reported in versions before 0.9.4. Prior versions may also be affected. Solution: Update to version 0.9.4. Provided and/or discovered by: Reported by the vendor. Original Advisory: Prosody: http://blog.prosody.im/prosody-0-9-4-released/ http://hg.prosody.im/0.9/rev/b3b1c9da38fb @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.