Date: Tue, 8 Apr 2014 21:08:01 -0400 (EDT) From: cve-assign@...re.org To: carnil@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/ igniterealtime.org Openfire Fixed in 3.9.2 We did not find any commits for this under the http://fisheye.igniterealtime.org/changelog/ URL. Accordingly, only one CVE is possible at present. Use CVE-2014-2741. Isode Ltd. M-Link Fixed in 16.0v7 We did not find any details about the change under the http://www.isode.com/products/m-link.html URL. (Also, the http://www.isode.com/evaluate/instant-messaging-xmpp.html page seems to imply that this is not open source.) Accordingly, only one CVE is possible at present. Use CVE-2014-2742. lightwitch.org Metronome Fix in progress http://code.lightwitch.org/metronome/rev/49f47277a411 Use CVE-2014-2743 for "Don't process deflated data if it exceedes the max allowed limit." Use CVE-2014-2744 for "Don't allow to compress a stream if it's not authenticated." Prosody Prosody Fixed in 0.9.4 http://blog.prosody.im/prosody-0-9-4-released/ Use CVE-2014-2745 for these changes that address resource consumption in general: http://hg.prosody.im/0.9/rev/a97591d2e1ad http://hg.prosody.im/0.9/rev/1107d66d2ab2 Use CVE-2014-2744 for this change that addresses decompression of unauthenticated data: http://hg.prosody.im/0.9/rev/b3b1c9da38fb (This is exactly the same plugins/mod_compression.lua fix as in Metronome, and thus has the same CVE ID. Metronome was originally based on the Prosody codebase.) Tigase Tigase Fixed in 5.2.1 http://www.tigase.org/content/uncontrolled-resource-consumption-highly-compressed-xmpp-messages https://projects.tigase.org/projects/tigase-server/repository/revisions/7f5af2f8c5b97bbf9def66fbb9dd47746a7ac292 https://projects.tigase.org/issues/1780 (not a public bug) We did not determine that more than one issue was fixed. Accordingly, only one CVE is possible at present. Use CVE-2014-2746. Erlang Solutions MongooseIM Under Investigation We did not find anything under the https://github.com/esl/MongooseIM/commits/master URL. There is apparently no publicly known vulnerability and thus no CVE assignment. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTRJxDAAoJEKllVAevmvmsUdcH/0W6GGzE1yTEOnxFqtZ8ghvE gavs13esHOeB/FLHdliJx54y/xzKoXbWPwItKVju/lqbRJwCMpy1G7+to4PoZ3ZO O1hanQGjCwmH48D4pY0z203d3whXuMGoZI+DLhyDqvVvwYAwboTCu2E36j0q8Zj2 kwpxfzShE6v13PKriEwMgVLZMj1xUZSD6yXMg24v48vjcRnDqReZ5wdrnXRYIwPP Kkzlj9P6D+gR98ZQp5pLX5Db574vcAP+7v5jn2EvfGJRsofUhX/K2oPrQ/xGfCpH rJpvIvBglugtW3/iVKtrKK9QBF5bcFxBrFGWAfrTois5du4FA9iQoi0jC6J0AHo= =U9OB -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.