Jabberd2 2.2.14 security release: This is a security release dealing with “billion laughs” attack possibility discovered in many XMPP servers (CVE-2011-1755). ATM 2.2.8 in the tree. Patch for 2.2.8 in Debian: http://patch-tracker.debian.org/patch/series/view/jabberd2/2.2.8-2.1/CVE-2011-1755.dpatch Please look. Thanks. Reproducible: Didn't try
(In reply to comment #0) > Jabberd2 2.2.14 security release: This is a security release dealing with > “billion laughs” attack possibility discovered in many XMPP servers > (CVE-2011-1755). > Thank you for the report. From the upstream changelog at $URL: 2011-06-01 Tomasz Sterna <tomek@xiaoka.com> * Prevent the "billion laughs" attack against expat by disabling internal entity expansion.
CVE-2011-1755 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1755): jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
2.2.14 in tree. Arches, please test and stabilize: =net-im/jabberd2-2.2.14-r1 Target arches: amd64 ppc sparc x86
amd64 stable
x86 stable
ppc stable
sparc stable
GLSA vote: no.
Also, @maintainers: please drop affected, will do so in 30 days if no response.
GLSA vote: no
+ 04 Dec 2013; Sergey Popov <pinkbyte@gentoo.org> -jabberd2-2.2.1.ebuild, + -files/jabberd2-2.2.1.init, -files/jabberd2-2.2.1.pamd, + -jabberd2-2.2.4.ebuild, -files/jabberd2-2.2.4.init, + -files/jabberd2-2.2.4.pamd, -jabberd2-2.2.5.ebuild, + -files/jabberd2-2.2.5.init, -files/jabberd2-2.2.5.pamd, + -jabberd2-2.2.8.ebuild: + Security cleanup, bug #369739