Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 22 Aug 2012 12:10:45 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>
Subject: Re: CVE Request -- jabberd2: Prone to unsolicited
 XMPP Dialback attacks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/22/2012 09:28 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> a security flaw was found in the XMPP Dialback protocol
> implementation of jabberd2, OpenSource server implementation of the
> Jabber protocols (Verify Response and Authorization Response were
> not checked within XMPP protocol server to server session). A rogue
> XMPP server could use this flaw to spoof one or more domains, when
> communicating with vulnerable server implementation, possibly
> leading into XMPP's Server Dialback protections bypass.
> 
> References: [1]
> http://xmpp.org/resources/security-notices/server-dialback/ [2]
> https://bugzilla.redhat.com/show_bug.cgi?id=850872
> 
> Upstream patch: [3]
> https://github.com/Jabberd2/jabberd2/commit/aabcffae560d5fd00cd1d2ffce5d760353cf0a4d
>
>  Could you allocate a CVE id for this?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team

Please use CVE-2012-3525 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQNSClAAoJEBYNRVNeJnmTI9sP/j4Z9gG+wMEVBO4NaTT9o6Ta
bSnPYbHHWt8lQ4/9/XKYwIp0ErA7aRrqwlyDHL9meqK1RTex54fzPpcX25qkMIk/
GkhFkHRWdMLj6WP0pe4l46GpqntlBLC6/kiMbZTr92/6hGINkNMU+2V3/ZeCk2w4
vS+RrwhTPcKhKMDZN9Xw05KB/+XxoGk6NQ3vgL+DVbmjobpiSHz1hhHr2ACQ50dR
PKZ472f12hBJueWYKmUx/PLZ23ElpfJDYVONplE0rc+jemGmobNdGfS+1NxU4qhI
KolXjoieXYg2ePOfLBkuwpd0ua94L2LuMdRmk2KTQ8wLrDInNr2tXQ+xISPsTRtF
inLiBppohkanRYCkqJezLTNFyl4+i4SrbALA9MrfBqWjwiSe3IK+OSHEZE5/M7nW
vPE0j0O/b1xZ2+0HAJ4KGwURwlHw7bszjPVKtozRKto4Prsn6pdxJTWrqp0h/NmQ
srMCppzXLepcYfPkCnDTJYlho2wxrktXDa2cTgNNhQT2qnMdiTHsgzPZBlxEPhge
I2GUD9wBPVh3FPEQKyxC/nrU47LZfht8n04xeVZDyJ/9h27gL6PcvY7AxhQ7tdQq
dwEFaV1OTbTtfMmDz/iTgrhy35eajcP03k9R1KM/gwDmc/rSlMntK531SHsRJ22M
7tW+3Bt3YgJJMH/pRb7A
=WeUA
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ