The new version of the ejabberd has been released. Reproducible: Always
rename of the ejabberd ebuild works fine.
This is a security issue, see changes: http://www.ejabberd.im/ejabberd-2.1.9 PubSub: Fix Denial of Service when user sends malformed publish stanza (EJAB-1498) I've requested a CVE id.
*** Bug 392889 has been marked as a duplicate of this bug. ***
New version is in the tree. Arch teams, please, stabilize. =net-im/ejabberd-2.1.9 Target KEYWORDS="amd64 x86"
@pva: metadata.warning 1 net-im/ejabberd/metadata.xml: unused local USE-description: 'mod_srl' amd64 stable
x86 stable
Thanks folks, @security, please proceed to vote.
Thanks, everyone. GLSA Vote: yes.
CVE-2011-4320 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4320): The mod_pubsub module (mod_pubsub.erl) in ejabberd 2.1.8 and 3.0.0-alpha-3 allows remote authenticated users to cause a denial of service (infinite loop) via a stanza with a publish tag that lacks a node attribute.
Votes: Yes. GLSA request filed.
This issue was resolved and addressed in GLSA 201206-10 at http://security.gentoo.org/glsa/glsa-201206-10.xml by GLSA coordinator Stefan Behte (craig).