Date: Tue, 8 Apr 2014 21:08:01 -0400 (EDT) From: cve-assign@...re.org To: carnil@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/ igniterealtime.org Openfire Fixed in 3.9.2 We did not find any commits for this under the http://fisheye.igniterealtime.org/changelog/ URL. Accordingly, only one CVE is possible at present. Use CVE-2014-2741. Isode Ltd. M-Link Fixed in 16.0v7 We did not find any details about the change under the http://www.isode.com/products/m-link.html URL. (Also, the http://www.isode.com/evaluate/instant-messaging-xmpp.html page seems to imply that this is not open source.) Accordingly, only one CVE is possible at present. Use CVE-2014-2742. lightwitch.org Metronome Fix in progress http://code.lightwitch.org/metronome/rev/49f47277a411 Use CVE-2014-2743 for "Don't process deflated data if it exceedes the max allowed limit." Use CVE-2014-2744 for "Don't allow to compress a stream if it's not authenticated." Prosody Prosody Fixed in 0.9.4 http://blog.prosody.im/prosody-0-9-4-released/ Use CVE-2014-2745 for these changes that address resource consumption in general: http://hg.prosody.im/0.9/rev/a97591d2e1ad http://hg.prosody.im/0.9/rev/1107d66d2ab2 Use CVE-2014-2744 for this change that addresses decompression of unauthenticated data: http://hg.prosody.im/0.9/rev/b3b1c9da38fb (This is exactly the same plugins/mod_compression.lua fix as in Metronome, and thus has the same CVE ID. Metronome was originally based on the Prosody codebase.) Tigase Tigase Fixed in 5.2.1 http://www.tigase.org/content/uncontrolled-resource-consumption-highly-compressed-xmpp-messages https://projects.tigase.org/projects/tigase-server/repository/revisions/7f5af2f8c5b97bbf9def66fbb9dd47746a7ac292 https://projects.tigase.org/issues/1780 (not a public bug) We did not determine that more than one issue was fixed. Accordingly, only one CVE is possible at present. Use CVE-2014-2746. Erlang Solutions MongooseIM Under Investigation We did not find anything under the https://github.com/esl/MongooseIM/commits/master URL. There is apparently no publicly known vulnerability and thus no CVE assignment. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTRJxDAAoJEKllVAevmvmsUdcH/0W6GGzE1yTEOnxFqtZ8ghvE gavs13esHOeB/FLHdliJx54y/xzKoXbWPwItKVju/lqbRJwCMpy1G7+to4PoZ3ZO O1hanQGjCwmH48D4pY0z203d3whXuMGoZI+DLhyDqvVvwYAwboTCu2E36j0q8Zj2 kwpxfzShE6v13PKriEwMgVLZMj1xUZSD6yXMg24v48vjcRnDqReZ5wdrnXRYIwPP Kkzlj9P6D+gR98ZQp5pLX5Db574vcAP+7v5jn2EvfGJRsofUhX/K2oPrQ/xGfCpH rJpvIvBglugtW3/iVKtrKK9QBF5bcFxBrFGWAfrTois5du4FA9iQoi0jC6J0AHo= =U9OB -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ