From http://www.ejabberd.im/ejabberd-2.1.7: ejabberd 2.1.7, and ejabberd 3.0.0-alpha-3, and exmpp 0.9.7 have been released, after a few months of development. They contain a lot of bugfixes, improvements and some new features. If you have ejabberd running in a public server, please update it immediately: those releases contain a security fix that disables entity expansion completely to prevent billion laughs DoS attack (CVE-2011-1753). Reproducible: Always
Looks like ejabberd-2.1.8 was released also. http://www.ejabberd.im/ejabberd-2.1.8 The ejabberd 2.1.7 released yesterday contains a bug that breaks PubSub. If you use ejabberd 2.1.7 and PubSub, you can find the patch and the fixed mod_pubsub.beam in the page EJAB-1457.
Thank you for report Federico. New version is in the tree. Arch teams, please, stabilize.
USE=mod_statsdx seems a bit broken as the upstream filename has changed... Besides that, it looks good here on x86. ewarn "mod_statsdx is not a part of upstream tarball but is a third-party module" ewarn "taken from here: http://www.ejabberd.im/mod_stats2file" - epatch "${WORKDIR}/2.1.1-mod_statsdx.patch" + epatch "${WORKDIR}/ejabberd-mod_statsdx-1080.patch"
(In reply to comment #3) > USE=mod_statsdx seems a bit broken as the upstream filename has changed... This is intentional change. I guess file was removed before I've commited ebuild and now I put it on mirrors another time.
(In reply to comment #4) > (In reply to comment #3) > > USE=mod_statsdx seems a bit broken as the upstream filename has changed... > > This is intentional change. I guess file was removed before I've commited > ebuild and now I put it on mirrors another time. amd64: ditto x86. emerges fine but for the mod_statsdx. Is the ebuild up for a final adjustment?
(In reply to comment #5) > ditto x86. emerges fine but for the mod_statsdx. Guys could you at least show error message or something?
(In reply to comment #6) > Guys could you at least show error message or something? >>> Unpacking source... >>> Unpacking ejabberd-2.1.8.tar.gz to /var/tmp/portage/net-im/ejabberd-2.1.8/work >>> Unpacking ejabberd-mod_statsdx-1080.patch.gz to /var/tmp/portage/net-im/ejabberd-2.1.8/work >>> Source unpacked in /var/tmp/portage/net-im/ejabberd-2.1.8/work >>> Preparing source in /var/tmp/portage/net-im/ejabberd-2.1.8/work/ejabberd-2.1.8/src ... * mod_statsdx is not a part of upstream tarball but is a third-party module * taken from here: http://www.ejabberd.im/mod_stats2file * Cannot find $EPATCH_SOURCE! Value for $EPATCH_SOURCE is: * * /var/tmp/portage/net-im/ejabberd-2.1.8/work/2.1.1-mod_statsdx.patch * ( 2.1.1-mod_statsdx.patch ) # ls -l /var/tmp/portage/net-im/ejabberd-2.1.8/work/*.patch -rw-r--r-- 1 root root 69688 Jun 16 06:12 /var/tmp/portage/net-im/ejabberd-2.1.8/work/ejabberd-mod_statsdx-1080.patch
Thank you andreas. I forgot to push all changes from overlay... Now everything should be in place.
amd64 done
x86 stable, thanks Andreas. all arches done
Thanks, folks. GLSA Vote: yes.
CVE-2011-1753 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1753): expat_erl.c in ejabberd before 2.1.7 and 3.x before 3.0.0-alpha-3, and exmpp before 0.9.7, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Vote: YES. Added to pending GLSA request.
This issue was resolved and addressed in GLSA 201206-10 at http://security.gentoo.org/glsa/glsa-201206-10.xml by GLSA coordinator Stefan Behte (craig).