From $URL: Hi The Jabberd, before 2.6.1 allowed anyone to authenticate SASL ANONYMOUS, even when sasl.anonymous c2s.xml option is not enabled. The bug allows nauthorized usage of jabberd server installations and could possibly lead to a DoS. References: https://github.com/jabberd2/jabberd2/releases/tag/jabberd-2.6.1 Upstream fix: https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16 As mentioned in the subject, MITRE has assigned CVE-2017-10807 for this issue. Regards, Salvatore
@poly-c: Adding you to CC as you were last one to bump this package, are you interested in taking over maintainership?
stabilizing 2.6.1 should be enough for this
amd64 stable
dropping ppc. no need to stabilize package masked for removal. Feel free to readd is decision is reverted.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b50a30689fca4c60d2b4e625f341daff116e51b6 commit b50a30689fca4c60d2b4e625f341daff116e51b6 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-03-03 17:15:10 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-03-03 17:15:10 +0000 net-im/jabberd2: Removed from repository Bug: https://bugs.gentoo.org/623806 net-im/jabberd2/Manifest | 2 - net-im/jabberd2/files/jabberd2-2.3.1.pamd | 6 - net-im/jabberd2/files/jabberd2-2.3.2.init | 96 ----------- net-im/jabberd2/files/jabberd2-2.3.2.logrotate | 8 - net-im/jabberd2/files/jabberd2-2.5.0.init | 90 ---------- net-im/jabberd2/jabberd2-2.3.3-r2.ebuild | 159 ----------------- net-im/jabberd2/jabberd2-2.6.1.ebuild | 190 --------------------- net-im/jabberd2/metadata.xml | 15 -- profiles/arch/sparc/package.use.mask | 4 - profiles/package.mask | 6 - x11-misc/screen-message/screen-message-0.24.ebuild | 5 +- x11-misc/screen-message/screen-message-0.25.ebuild | 5 +- 12 files changed, 4 insertions(+), 582 deletions(-)}
Package was removed via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b50a30689fca4c60d2b4e625f341daff116e51b6. Added to an existing GLSA request filed.
This issue was resolved and addressed in GLSA 201803-07 at https://security.gentoo.org/glsa/201803-07 by GLSA coordinator Christopher Diaz Riveros (chrisadr).