Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 369739 (CVE-2011-1755) - <net-im/jabberd2-2.2.14-r1: security update (CVE-2011-1755)
Summary: <net-im/jabberd2-2.2.14-r1: security update (CVE-2011-1755)
Status: RESOLVED FIXED
Alias: CVE-2011-1755
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://codex.xiaoka.com/svn/jabberd2/...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-02 07:27 UTC by Maxim Britov
Modified: 2013-12-04 07:22 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Maxim Britov 2011-06-02 07:27:00 UTC 
Jabberd2 2.2.14 security release: This is a security release dealing with “billion laughs” attack possibility discovered in many XMPP servers (CVE-2011-1755).

ATM 2.2.8 in the tree.

Patch for 2.2.8 in Debian:
http://patch-tracker.debian.org/patch/series/view/jabberd2/2.2.8-2.1/CVE-2011-1755.dpatch

Please look. Thanks.

Reproducible: Didn't try
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-06-03 16:47:18 UTC 
(In reply to comment #0)
> Jabberd2 2.2.14 security release: This is a security release dealing with
> “billion laughs” attack possibility discovered in many XMPP servers
> (CVE-2011-1755).
> 

Thank you for the report.

From the upstream changelog at $URL:

2011-06-01 Tomasz Sterna <tomek@xiaoka.com>
	* Prevent the "billion laughs" attack against expat by disabling internal
	  entity expansion.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:09:27 UTC 
CVE-2011-1755 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1755):
  jabberd2 before 2.2.14 does not properly detect recursion during entity
  expansion, which allows remote attackers to cause a denial of service
  (memory and CPU consumption) via a crafted XML document containing a large
  number of nested entity references, a similar issue to CVE-2003-1564.
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-12 22:05:20 UTC 
2.2.14 in tree. Arches, please test and stabilize:
=net-im/jabberd2-2.2.14-r1
Target arches: amd64 ppc sparc x86
Comment 4 Agostino Sarubbo gentoo-dev 2013-09-14 08:13:48 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-09-14 10:13:54 UTC 
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-09-14 10:37:45 UTC 
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-09-14 10:40:23 UTC 
sparc stable
Comment 8 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-25 17:50:00 UTC 
GLSA vote: no.
Comment 9 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-25 17:57:14 UTC 
Also, @maintainers: please drop affected, will do so in 30 days if no response.
Comment 10 Sergey Popov gentoo-dev 2013-10-07 07:56:01 UTC 
GLSA vote: no
Comment 11 Sergey Popov gentoo-dev 2013-12-04 07:20:18 UTC 
+  04 Dec 2013; Sergey Popov <pinkbyte@gentoo.org> -jabberd2-2.2.1.ebuild,
+  -files/jabberd2-2.2.1.init, -files/jabberd2-2.2.1.pamd,
+  -jabberd2-2.2.4.ebuild, -files/jabberd2-2.2.4.init,
+  -files/jabberd2-2.2.4.pamd, -jabberd2-2.2.5.ebuild,
+  -files/jabberd2-2.2.5.init, -files/jabberd2-2.2.5.pamd,
+  -jabberd2-2.2.8.ebuild:
+  Security cleanup, bug #369739