Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 386075 (CVE-2011-4320) - <net-im/ejabberd-2.1.9: Denial of Service (CVE-2011-4320)
Summary: <net-im/ejabberd-2.1.9: Denial of Service (CVE-2011-4320)
Alias: CVE-2011-4320
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
: 392889 (view as bug list)
Depends on:
Reported: 2011-10-07 13:18 UTC by Anton Podavalov
Modified: 2012-06-21 18:20 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Anton Podavalov 2011-10-07 13:18:44 UTC
The new version of the ejabberd has been released.

Reproducible: Always
Comment 1 Vadim Efimov 2011-10-09 15:31:11 UTC
rename of the ejabberd ebuild works fine.
Comment 2 Hanno Böck gentoo-dev 2011-11-19 11:24:28 UTC
This is a security issue, see changes:
PubSub: Fix Denial of Service when user sends malformed publish stanza (EJAB-1498)

I've requested a CVE id.
Comment 3 Agostino Sarubbo gentoo-dev 2011-12-02 15:22:38 UTC
*** Bug 392889 has been marked as a duplicate of this bug. ***
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2011-12-17 03:28:22 UTC
New version is in the tree. Arch teams, please, stabilize.
Target KEYWORDS="amd64 x86"
Comment 5 Agostino Sarubbo gentoo-dev 2011-12-17 15:39:38 UTC
metadata.warning              1
   net-im/ejabberd/metadata.xml: unused local USE-description: 'mod_srl'

amd64 stable
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-12-21 08:49:06 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2011-12-21 09:15:18 UTC
Thanks folks, 

@security, please proceed to vote.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-12-21 14:13:39 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 01:29:15 UTC
CVE-2011-4320 (
  The mod_pubsub module (mod_pubsub.erl) in ejabberd 2.1.8 and 3.0.0-alpha-3
  allows remote authenticated users to cause a denial of service (infinite
  loop) via a stanza with a publish tag that lacks a node attribute.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2012-03-06 01:03:57 UTC
Votes: Yes. GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 18:20:32 UTC
This issue was resolved and addressed in
 GLSA 201206-10 at
by GLSA coordinator Stefan Behte (craig).