Uočena je i ispravljena nova sigurnosna nepravilnost u radu paketa jabberd koju je moguće iskoristiti za DoS (eng. Denial of Service) napad.
| Paket: | jabberd 2.x |
| Operacijski sustavi: | Fedora 13, Fedora 14 |
| Problem: | neodgovarajuća provjera ulaznih podataka |
| Iskorištavanje: | udaljeno |
| Posljedica: | uskraćivanje usluga (DoS) |
| Rješenje: | programska zakrpa proizvođača |
| CVE: | CVE-2011-1755 |
| Izvorni ID preporuke: | FEDORA-2011-7805 |
| Izvor: | Fedora |
| Problem: | |
| Problem nastaje zbog neodgovarajuće obrade određenih XML ulaznih podataka. |
|
| Posljedica: | |
| Propust je moguće iskoristiti za izvođenje DoS napada. |
|
| Rješenje: | |
| Korisnici se upućuju na primjenu nadogradnje. |
|
Izvorni tekst preporuke
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-7805
2011-06-03 05:02:11
--------------------------------------------------------------------------------
Name : jabberd
Product : Fedora 14
Version : 2.2.14
Release : 1.fc14
URL : http://codex.xiaoka.com/wiki/jabberd2:start
Summary : OpenSource server implementation of the Jabber protocols
Description :
The jabberd project aims to provide an open-source server implementation of
the Jabber protocols for instant messaging and XML routing. The goal of this
project is to provide a scalable, reliable, efficient and extensible server
that provides a complete set of features and is up to date with the latest
protocol revisions.
jabberd2 is the next generation of the jabberd server. It has been
rewritten from the ground up to be scalable, architecturally sound, and to
support the latest protocol extensions coming out of the JSF.
This package defaults to use pam and sqlite.
--------------------------------------------------------------------------------
Update Information:
This update fixes an important security issue (CVE-2011-1755), for more
information, please see https://bugzilla.redhat.com/show_bug.cgi?id=700390.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jun 1 2011 Dominic Hopf <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.2.14-1
- update to 2.2.14 (#700390, CVE-2011-1755)
- remove unneeded upstart configuration files
* Thu Apr 14 2011 Dominic Hopf <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.2.13-1
- updated to 2.2.13
* Wed Jan 5 2011 Adrian Reber <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.2.11-7
- ported spec changes from f14 branch to devel branch
- fix "jabberd spec file puts server.pem in /etc instead of /etc/jabberd"
(#667504)
* Tue Nov 9 2010 Dominic Hopf <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.2.11-3
- re-add the server.pem ghost as %config(noreplace) to prevent the
file from being deleted when updating to this package
- fix permissions for directories and files under /var/lib/jabberd
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #700390 - CVE-2011-1755 jabberd: DoS via the XML "billion laughs
attack"
https://bugzilla.redhat.com/show_bug.cgi?id=700390
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update jabberd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-7818
2011-06-03 05:02:40
--------------------------------------------------------------------------------
Name : jabberd
Product : Fedora 13
Version : 2.2.11
Release : 4.fc13
URL : http://codex.xiaoka.com/wiki/jabberd2:start
Summary : OpenSource server implementation of the Jabber protocols
Description :
The jabberd project aims to provide an open-source server implementation of
the Jabber protocols for instant messaging and XML routing. The goal of this
project is to provide a scalable, reliable, efficient and extensible server
that provides a complete set of features and is up to date with the latest
protocol revisions.
jabberd2 is the next generation of the jabberd server. It has been
rewritten from the ground up to be scalable, architecturally sound, and to
support the latest protocol extensions coming out of the JSF.
This package defaults to use pam and sqlite.
--------------------------------------------------------------------------------
Update Information:
This update fixes an important security issue (CVE-2011-1755), for more
information, please see https://bugzilla.redhat.com/show_bug.cgi?id=700390.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jun 2 2011 Dominic Hopf <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.2.11-4
- backported patch to fix the billion laughs issue from 2.2.14 (#700390,
CVE-2011-1755)
* Tue Nov 9 2010 Dominic Hopf <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.2.11-3
- re-add the server.pem ghost as %config(noreplace) to prevent the
file from being deleted when updating to this package
- fix permissions for directories and files under /var/lib/jabberd
* Wed Oct 6 2010 Dominic Hopf <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2.2.11-2
- new upstream release jabberd 2.2.11
- fix script-without-shebang errors
- preserve timestamp of ChangeLog while converting to UTF8
- add patch jabberd-fix-missing-reference-in-log_error.patch from upstream svn
- use %{_mandir} macro for manpages
- create a new source file for the PAM info instead of writing it on the fly
- install all tools provided by upstream to /usr/share/jabberd/
- remove storage driver replacement, since 2.2.10 sqlite is the default
- remove dependency to gc-devel
- remove unneccessary defines for sysconfdir and don't use unneccessary macros
- remove static libraries
- fix a lot of rpmlint errors and warnings
- rename file jabberd to jabberd.init to make 'fedpkg mockbuild' possible
* Wed Sep 29 2010 jkeating - 2.2.8-5.1
- Rebuilt for gcc bug 634757
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #700390 - CVE-2011-1755 jabberd: DoS via the XML "billion laughs
attack"
https://bugzilla.redhat.com/show_bug.cgi?id=700390
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update jabberd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke