Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <201404090108.s39181ns004077@linus.mitre.org>
Date: Tue, 8 Apr 2014 21:08:01 -0400 (EDT)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/

igniterealtime.org   Openfire   Fixed in 3.9.2

We did not find any commits for this under the
http://fisheye.igniterealtime.org/changelog/ URL. Accordingly, only
one CVE is possible at present. Use CVE-2014-2741.



Isode Ltd.           M-Link     Fixed in 16.0v7

We did not find any details about the change under the
http://www.isode.com/products/m-link.html URL. (Also, the
http://www.isode.com/evaluate/instant-messaging-xmpp.html page seems
to imply that this is not open source.) Accordingly, only one CVE is
possible at present. Use CVE-2014-2742.



lightwitch.org       Metronome  Fix in progress
http://code.lightwitch.org/metronome/rev/49f47277a411

Use CVE-2014-2743 for "Don't process deflated data if it exceedes the
max allowed limit."

Use CVE-2014-2744 for "Don't allow to compress a stream if it's not
authenticated."



Prosody              Prosody    Fixed in 0.9.4
http://blog.prosody.im/prosody-0-9-4-released/

Use CVE-2014-2745 for these changes that address resource consumption
in general:
  http://hg.prosody.im/0.9/rev/a97591d2e1ad
  http://hg.prosody.im/0.9/rev/1107d66d2ab2

Use CVE-2014-2744 for this change that addresses decompression of
unauthenticated data:
  http://hg.prosody.im/0.9/rev/b3b1c9da38fb

(This is exactly the same plugins/mod_compression.lua fix as in
Metronome, and thus has the same CVE ID. Metronome was originally
based on the Prosody codebase.)



Tigase               Tigase     Fixed in 5.2.1
http://www.tigase.org/content/uncontrolled-resource-consumption-highly-compressed-xmpp-messages
https://projects.tigase.org/projects/tigase-server/repository/revisions/7f5af2f8c5b97bbf9def66fbb9dd47746a7ac292
https://projects.tigase.org/issues/1780 (not a public bug)

We did not determine that more than one issue was fixed. Accordingly,
only one CVE is possible at present. Use CVE-2014-2746.



Erlang Solutions     MongooseIM Under Investigation

We did not find anything under the
https://github.com/esl/MongooseIM/commits/master URL. There is
apparently no publicly known vulnerability and thus no CVE assignment.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTRJxDAAoJEKllVAevmvmsUdcH/0W6GGzE1yTEOnxFqtZ8ghvE
gavs13esHOeB/FLHdliJx54y/xzKoXbWPwItKVju/lqbRJwCMpy1G7+to4PoZ3ZO
O1hanQGjCwmH48D4pY0z203d3whXuMGoZI+DLhyDqvVvwYAwboTCu2E36j0q8Zj2
kwpxfzShE6v13PKriEwMgVLZMj1xUZSD6yXMg24v48vjcRnDqReZ5wdrnXRYIwPP
Kkzlj9P6D+gR98ZQp5pLX5Db574vcAP+7v5jn2EvfGJRsofUhX/K2oPrQ/xGfCpH
rJpvIvBglugtW3/iVKtrKK9QBF5bcFxBrFGWAfrTois5du4FA9iQoi0jC6J0AHo=
=U9OB
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.