CVE-2010-0305 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0305): ejabberd_c2s.erl in ejabberd before 2.1.3 allows remote attackers to cause a denial of service (daemon crash) via a large number of c2s (aka client2server) messages that trigger a queue overload.
*** Bug 303016 has been marked as a duplicate of this bug. ***
Rerating B3 for DoS.
Can't see a 2.1.3 release. Does that mean that it's only a planned release, and currently the code is fixed only in git currently? This will probably need some bumping in http://bugs.gentoo.org/show_bug.cgi?id=281366
Patch: https://support.process-one.net/browse/EJAB-1173;jsessionid=CC9A1D875A20197DD4571444DA8C1EFB?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel https://support.process-one.net/browse/EJAB-1173 says: Affects Version/s: ejabberd 2.1.2 Fix Version/s: ejabberd 2.1.3 And we got: http://www.ejabberd.im/ejabberd-2.1.3 Please provide an updated ebuild.
Hi Guys, Is there any chance that this would be marked stable soon? Thank you,
We should bump to 2.1.3 ASAP, bug 281366.
Ok, I've bumped and just unmasked 2.1.4 in tree. A week from now if nothing pops up it'll be ok to start stabilization.
arch teams, please, stabilize net-im/ejabberd-2.1.4.
x86: Just a heads up, this is dependent on the ~x86 package shadow-4.1.4.2-r3.
x86: Compiles fine. No errors on running. I *think* its running alright, but I don't know a ton about jabber.
stable x86, thanks Dane
shadow-4.1.4.2-r3 has a small regression that no one noticed until it went stable. ive added shadow-4.1.4.2-r4 with the small fix.
x86 done again
amd64 done
Vote: no.
I vote YES here.
GLSA Vote: Yes, request filed.
This issue was resolved and addressed in GLSA 201206-10 at http://security.gentoo.org/glsa/glsa-201206-10.xml by GLSA coordinator Stefan Behte (craig).
