Your message dated Wed, 19 Jan 2005 10:01:10 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#291183: CAN-2004-1378: Denial of service in jabberd
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 19 Jan 2005 09:27:55 +0000
>From [EMAIL PROTECTED] Wed Jan 19 01:27:54 2005
Return-path: <[EMAIL PROTECTED]>
Received: from luonnotar.infodrom.org [195.124.48.78]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CrC82-000862-00; Wed, 19 Jan 2005 01:27:54 -0800
Received: by luonnotar.infodrom.org (Postfix, from userid 10)
id 81F5F366B9C; Wed, 19 Jan 2005 10:27:57 +0100 (CET)
Received: at Infodrom Oldenburg (/\##/\ Smail-3.2.0.102 1998-Aug-2 #2)
from infodrom.org by finlandia.Infodrom.North.DE
via smail from stdin
id <[EMAIL PROTECTED]>
for [EMAIL PROTECTED]; Wed, 19 Jan 2005 10:23:24 +0100 (CET)
Date: Wed, 19 Jan 2005 10:23:24 +0100
From: Martin Schulze <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: CAN-2004-1378: Denial of service in jabberd
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: jabber
Version: 1.4.3-3
Severity: grave
Tags: security sid sarge
I can only guess that our version is vulnerable as well. If not, please close
this bug report. If you've included a fixe, please add the CVE id to the
proper changelog item.
======================================================
Candidate: CAN-2004-1378
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1378
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20050119
Category: SF
Reference: BUGTRAQ:20040920 Possible DoS attack against jabberd 1.4.3 and
jadc2s 0.9.0
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=109583829122679&w=2
Reference: MLIST:20040919 [jabberd] Jabberd 1.4 critical bug
Reference:
URL:http://mail.jabber.org/pipermail/jabberd/2004-September/002004.html
Reference: CONFIRM:http://devel.amessage.info/jabberd14/
Reference:
CONFIRM:http://www.vuxml.org/freebsd/2e25d38b-54d1-11d9-b612-000c6e8f12ef.html
Reference: GENTOO:GLSA-200409-31
Reference: URL:http://www.gentoo.org/security/en/glsa/glsa-200409-31.xml
Reference: BID:11231
Reference: URL:http://www.securityfocus.com/bid/11231
Reference: XF:jabberd-xml-dos(17466)
Reference: URL:http://xforce.iss.net/xforce/xfdb/17466
The expat XML parser code, as used in the open source Jabber (jabberd)
1.4.3 and earlier, jadc2s 0.9.0 and earlier, and possibly other
packages, allows remote attackers to cause a denial of service
(application crash) via a malformed packet to a socket that accepts
XML connnections.
Regards,
Joey
--
Ten years and still binary compatible. -- XFree86
Please always Cc to me when replying to me on the lists.
---------------------------------------
Received: (at 291183-done) by bugs.debian.org; 19 Jan 2005 17:01:14 +0000
>From [EMAIL PROTECTED] Wed Jan 19 09:01:14 2005
Return-path: <[EMAIL PROTECTED]>
Received: from h-67-101-186-172.dnvtco56.covad.net (forseti.asgardsrealm.net)
[67.101.186.172]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CrJCk-0001QR-00; Wed, 19 Jan 2005 09:01:14 -0800
Received: from cerberus.asgardsrealm.net
([192.168.10.80] helo=cerberus ident=mail)
by forseti.asgardsrealm.net with esmtp (Exim 4.34)
id 1CrJCh-0007c0-Ok; Wed, 19 Jan 2005 10:01:11 -0700
Received: from jcollins by cerberus with local (Exim 3.36 #1 (Debian))
id 1CrJCh-0002FD-00; Wed, 19 Jan 2005 10:01:11 -0700
Date: Wed, 19 Jan 2005 10:01:10 -0700
From: "Jamin W. Collins" <[EMAIL PROTECTED]>
To: Martin Schulze <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: Bug#291183: CAN-2004-1378: Denial of service in jabberd
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.6+20040907i
Sender: "Jamin W. Collins" <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
On Wed, Jan 19, 2005 at 10:23:24AM +0100, Martin Schulze wrote:
> Package: jabber
> Version: 1.4.3-3
> Severity: grave
> Tags: security sid sarge
>
> I can only guess that our version is vulnerable as well.
No, there are several things you could have done:
- checked previous bug reports and changelog entries concerning expat
- installed the Debian package and tested with the simple command
found here:
http://mail.jabber.org/pipermail/jabberd/2004-September/002004.html
- checked the package source for inclusion of the patch
Any of the above would have indicated that the problem has been
corrected in the Debian packages.
> If not, please close this bug report.
The problem was initially reported here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=272408
The corrective patch has been included in the Debian package for a
while.
> If you've included a fixe, please add the CVE id to the
> proper changelog item.
Changing historical changelog entries isn't a good thing (IMHO).
--
Jamin W. Collins
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
