CVE-2012-3525 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3525): s2s/out.c in jabberd2 2.2.16 and earlier does not verify that a request was made for an XMPP Server Dialback response, which allows remote XMPP servers to spoof domains via a (1) Verify Response or (2) Authorization Response.
jabberd-2.2.17.tar.xz — jabberd 2.2.17 release 1.3MB · Uploaded 20 hours ago includes the fix
Should be bug #314473 blocker for this bug?
Near half of year passed from reporting this bug, upstream has released fixed version, but we don't have it in the portage tree. It's really pity :(
(In reply to cyberbat from comment #3) > Near half of year passed from reporting this bug, upstream has released > fixed version, but we don't have it in the portage tree. It's really pity :( bumped
2.2.17 is gone from tree, current non-vulnerable version in tree is 2.3.1-r1 @maintainers: is it OK to stable it?
yes
Arches, please test and mark stable: =net-im/jabberd2-2.3.1-r1 Target Keywords : "amd64 ppc spark x86"
amd64 stable
x86 stable
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Agostino Sarubbo from comment #11) > > Maintainer(s), please cleanup. done
Thanks for your work. GLSA vote: no
GLSA vote: no. Closing as [noglsa].