Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 8 Apr 2014 21:08:01 -0400 (EDT)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/

igniterealtime.org   Openfire   Fixed in 3.9.2

We did not find any commits for this under the
http://fisheye.igniterealtime.org/changelog/ URL. Accordingly, only
one CVE is possible at present. Use CVE-2014-2741.



Isode Ltd.           M-Link     Fixed in 16.0v7

We did not find any details about the change under the
http://www.isode.com/products/m-link.html URL. (Also, the
http://www.isode.com/evaluate/instant-messaging-xmpp.html page seems
to imply that this is not open source.) Accordingly, only one CVE is
possible at present. Use CVE-2014-2742.



lightwitch.org       Metronome  Fix in progress
http://code.lightwitch.org/metronome/rev/49f47277a411

Use CVE-2014-2743 for "Don't process deflated data if it exceedes the
max allowed limit."

Use CVE-2014-2744 for "Don't allow to compress a stream if it's not
authenticated."



Prosody              Prosody    Fixed in 0.9.4
http://blog.prosody.im/prosody-0-9-4-released/

Use CVE-2014-2745 for these changes that address resource consumption
in general:
  http://hg.prosody.im/0.9/rev/a97591d2e1ad
  http://hg.prosody.im/0.9/rev/1107d66d2ab2

Use CVE-2014-2744 for this change that addresses decompression of
unauthenticated data:
  http://hg.prosody.im/0.9/rev/b3b1c9da38fb

(This is exactly the same plugins/mod_compression.lua fix as in
Metronome, and thus has the same CVE ID. Metronome was originally
based on the Prosody codebase.)



Tigase               Tigase     Fixed in 5.2.1
http://www.tigase.org/content/uncontrolled-resource-consumption-highly-compressed-xmpp-messages
https://projects.tigase.org/projects/tigase-server/repository/revisions/7f5af2f8c5b97bbf9def66fbb9dd47746a7ac292
https://projects.tigase.org/issues/1780 (not a public bug)

We did not determine that more than one issue was fixed. Accordingly,
only one CVE is possible at present. Use CVE-2014-2746.



Erlang Solutions     MongooseIM Under Investigation

We did not find anything under the
https://github.com/esl/MongooseIM/commits/master URL. There is
apparently no publicly known vulnerability and thus no CVE assignment.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTRJxDAAoJEKllVAevmvmsUdcH/0W6GGzE1yTEOnxFqtZ8ghvE
gavs13esHOeB/FLHdliJx54y/xzKoXbWPwItKVju/lqbRJwCMpy1G7+to4PoZ3ZO
O1hanQGjCwmH48D4pY0z203d3whXuMGoZI+DLhyDqvVvwYAwboTCu2E36j0q8Zj2
kwpxfzShE6v13PKriEwMgVLZMj1xUZSD6yXMg24v48vjcRnDqReZ5wdrnXRYIwPP
Kkzlj9P6D+gR98ZQp5pLX5Db574vcAP+7v5jn2EvfGJRsofUhX/K2oPrQ/xGfCpH
rJpvIvBglugtW3/iVKtrKK9QBF5bcFxBrFGWAfrTois5du4FA9iQoi0jC6J0AHo=
=U9OB
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.