Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 507134 (CVE-2014-2744) - <net-im/prosody-0.9.4: XML Decompression Denial of Service Vulnerability (CVE-2014-{2744,2745})
Summary: <net-im/prosody-0.9.4: XML Decompression Denial of Service Vulnerability (CVE...
Status: RESOLVED FIXED
Alias: CVE-2014-2744
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/57749/
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 507078 511532
Blocks:
  Show dependency tree
 
Reported: 2014-04-08 15:49 UTC by Agostino Sarubbo
Modified: 2015-03-18 22:07 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-08 15:49:31 UTC
From ${URL} :

Description

A vulnerability has been reported in Prosody, which can be exploited by malicious people to cause a DoS 
(Denial of Service).

The vulnerability is caused due to an error when handling compressed streams and can be exploited to 
exhaust system resources via a specially crafted XML passed over XMPP streams.

Successful exploitation requires that the mod_compression module is enabled (disabled by default).

The vulnerability is reported in versions before 0.9.4. Prior versions may also be affected.


Solution:
Update to version 0.9.4.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Prosody:
http://blog.prosody.im/prosody-0-9-4-released/
http://hg.prosody.im/0.9/rev/b3b1c9da38fb


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2014-04-11 13:15:36 UTC
CVE-2014-2744 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2744):
  plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch 
  Metronome through 3.4 negotiates stream compression while a session is 
  unauthenticated, which allows remote attackers to cause a denial of service 
  (resource consumption) via compressed XML elements in an XMPP stream, aka 
  an "xmppbomb" attack.
Comment 2 Agostino Sarubbo gentoo-dev 2014-04-11 13:16:32 UTC
CVE-2014-2745 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2745):
  Prosody before 0.9.4 does not properly restrict the processing of compressed 
  XML elements, which allows remote attackers to cause a denial of service 
  (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack, 
  related to core/portmanager.lua and util/xmppstream.lua.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-04-11 14:15:39 UTC
CVE-2014-2745 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2745):
  Prosody before 0.9.4 does not properly restrict the processing of compressed
  XML elements, which allows remote attackers to cause a denial of service
  (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack,
  related to core/portmanager.lua and util/xmppstream.lua.

CVE-2014-2744 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2744):
  plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch
  Metronome through 3.4 negotiates stream compression while a session is
  unauthenticated, which allows remote attackers to cause a denial of service
  (resource consumption) via compressed XML elements in an XMPP stream, aka an
  "xmppbomb" attack.
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2014-04-11 14:16:47 UTC
It may appear different, but this is only 2 CVEs, not 4.
Comment 5 Jason A. Donenfeld gentoo-dev 2014-04-16 23:28:12 UTC
+*prosody-0.9.4 (16 Apr 2014)
+
+  16 Apr 2014; Jason A. Donenfeld <zx2c4@gentoo.org> +prosody-0.9.4.ebuild:
+  Version bump.
+
Comment 6 Jason A. Donenfeld gentoo-dev 2014-04-17 00:18:53 UTC
+*luaexpat-1.3.0 (17 Apr 2014)
+
+  17 Apr 2014; Jason A. Donenfeld <zx2c4@gentoo.org> +luaexpat-1.3.0.ebuild:
+  Version bump for prosody.
+
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-04-17 02:59:18 UTC
Maintainers, please advise when eBuilds have had enough testing, and are ready for stabilization.

Also a question no ~hppa ebuild for luaexpat? Just making sure.
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2014-09-26 21:52:23 UTC
Maintainers: ping
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2015-01-11 09:04:58 UTC
Please stabilize:

=net-im/prosody-0.9.7

Targets: amd64 arm x86

It has been in the tree for 30 days without open bugs.
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2015-01-11 09:05:22 UTC
Adding arches for stabilization.
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2015-01-11 09:10:18 UTC
amd64 done.
Comment 12 Andreas Schürch gentoo-dev 2015-01-11 14:44:41 UTC
x86 done.
Comment 13 Markus Meier gentoo-dev 2015-02-26 19:09:06 UTC
arm stable, all arches done.
Comment 14 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-26 22:01:14 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).

First GLSA Vote: No
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-03-18 22:05:33 UTC
GLSA vote: no.