432936 – (CVE-2012-3525) <net-im/jabberd2-2.3.1-r1: XMPP dialback domain spoofing (CVE-2012-3525)

Bug 432936 (CVE-2012-3525) - <net-im/jabberd2-2.3.1-r1: XMPP dialback domain spoofing (CVE-2012-3525)

Summary: <net-im/jabberd2-2.3.1-r1: XMPP dialback domain spoofing (CVE-2012-3525)

Status:	RESOLVED FIXED

Alias:	CVE-2012-3525

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:	314473
Blocks:
	Show dependency tree

Reported:	2012-08-27 07:56 UTC by GLSAMaker/CVETool Bot
Modified:	2014-02-26 17:29 UTC (History)
CC List:	5 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2012-08-27 07:56:43 UTC

CVE-2012-3525 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3525):
  s2s/out.c in jabberd2 2.2.16 and earlier does not verify that a request was
  made for an XMPP Server Dialback response, which allows remote XMPP servers
  to spoof domains via a (1) Verify Response or (2) Authorization Response.

Comment 1 Alex Legler (RETIRED) archtester

2012-08-27 08:03:28 UTC

jabberd-2.2.17.tar.xz — jabberd 2.2.17 release
1.3MB · Uploaded 20 hours ago

includes the fix

Comment 2 Marcin Mirosław 2012-08-28 08:33:06 UTC

Should be bug #314473 blocker for this bug?

Comment 3 cyberbat 2013-03-26 06:09:57 UTC

Near half of year passed from reporting this bug, upstream has released fixed version, but we don't have it in the portage tree. It's really pity :(

Comment 4 Julian Ospald 2013-11-01 21:51:40 UTC

(In reply to cyberbat from comment #3)
> Near half of year passed from reporting this bug, upstream has released
> fixed version, but we don't have it in the portage tree. It's really pity :(

bumped

Comment 5 Sergey Popov gentoo-dev

2013-12-27 10:33:35 UTC

2.2.17 is gone from tree, current non-vulnerable version in tree is 2.3.1-r1

@maintainers: is it OK to stable it?

Comment 6 Julian Ospald 2013-12-27 13:26:19 UTC

yes

Comment 7 Yury German Gentoo Infrastructure

2013-12-30 02:13:16 UTC

Arches, please test and mark stable:

=net-im/jabberd2-2.3.1-r1

Target Keywords : "amd64 ppc spark x86"

Comment 8 Agostino Sarubbo gentoo-dev

2014-01-03 21:11:46 UTC

amd64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2014-01-03 21:16:43 UTC

x86 stable

Comment 10 Agostino Sarubbo gentoo-dev

2014-01-04 12:38:41 UTC

ppc stable

Comment 11 Agostino Sarubbo gentoo-dev

2014-01-06 09:30:37 UTC

sparc stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 12 Julian Ospald 2014-01-06 14:46:53 UTC

(In reply to Agostino Sarubbo from comment #11)
> 
> Maintainer(s), please cleanup.

done

Comment 13 Sergey Popov gentoo-dev

2014-02-26 14:41:28 UTC

Thanks for your work.

GLSA vote: no

Comment 14 Mikle Kolyada (RETIRED) archtester

2014-02-26 17:29:17 UTC

GLSA vote: no.

Closing as [noglsa].