Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 308047 (CVE-2010-0305) - <net-im/ejabberd-2.1.3: Denial of Service Vulnerability (CVE-2010-0305)
Summary: <net-im/ejabberd-2.1.3: Denial of Service Vulnerability (CVE-2010-0305)
Alias: CVE-2010-0305
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
: 303016 (view as bug list)
Depends on: 281366 327605
  Show dependency tree
Reported: 2010-03-06 15:35 UTC by Stefan Behte (RETIRED)
Modified: 2012-06-21 18:20 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:35:17 UTC
CVE-2010-0305 (
  ejabberd_c2s.erl in ejabberd before 2.1.3 allows remote attackers to
  cause a denial of service (daemon crash) via a large number of c2s
  (aka client2server) messages that trigger a queue overload.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 16:53:45 UTC
*** Bug 303016 has been marked as a duplicate of this bug. ***
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-07 09:10:31 UTC
Rerating B3 for DoS.
Comment 3 Antek Grzymała (antoszka) 2010-03-10 09:50:32 UTC
Can't see a 2.1.3 release. Does that mean that it's only a planned release, and currently the code is fixed only in git currently? This will probably need some bumping in
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-18 00:12:51 UTC
Patch:;jsessionid=CC9A1D875A20197DD4571444DA8C1EFB?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel says:
Affects Version/s:  	 ejabberd 2.1.2
Fix Version/s: 	         ejabberd 2.1.3

And we got:

Please provide an updated ebuild.
Comment 5 Joshua Wright 2010-03-18 09:15:19 UTC
Hi Guys,

Is there any chance that this would be marked stable soon?

Thank you,
Comment 6 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2010-04-10 14:18:20 UTC
We should bump to 2.1.3 ASAP, bug 281366.
Comment 7 Peter Volkov (RETIRED) gentoo-dev 2010-06-21 08:02:53 UTC
Ok, I've bumped and just unmasked 2.1.4 in tree. A week from now if nothing pops up it'll be ok to start stabilization.
Comment 8 Peter Volkov (RETIRED) gentoo-dev 2010-07-01 13:35:55 UTC
arch teams, please, stabilize net-im/ejabberd-2.1.4.
Comment 9 Dane Smith (RETIRED) gentoo-dev 2010-07-01 13:46:16 UTC
x86: Just a heads up, this is dependent on the ~x86 package shadow-

Comment 10 Dane Smith (RETIRED) gentoo-dev 2010-07-01 14:28:58 UTC
x86: Compiles fine. No errors on running. I *think* its running alright, but I don't know a ton about jabber.
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2010-07-03 08:09:17 UTC
stable x86, thanks Dane
Comment 12 SpanKY gentoo-dev 2010-07-10 00:47:42 UTC
shadow- has a small regression that no one noticed until it went stable.  ive added shadow- with the small fix.
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2010-07-10 15:35:15 UTC
x86 done again
Comment 14 Markos Chandras (RETIRED) gentoo-dev 2010-07-12 17:34:51 UTC
amd64 done
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 12:27:19 UTC
Vote: no.
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-14 14:43:11 UTC
I vote YES here.
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2010-11-18 20:50:18 UTC
GLSA Vote: Yes, request filed.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 18:20:23 UTC
This issue was resolved and addressed in
 GLSA 201206-10 at
by GLSA coordinator Stefan Behte (craig).