A denial of service flaw was found in the way PubSub extension of the ejabberd, a distributed, fault-tolerant Jabber/XMPP server, performed processing of certain, malformed <publish/> stanzas. A remote attacker, authenticated Jabber user, could send a specially-crafted request to Jabber server, leading to the jabberd daemon to enter an infinite loop and consume excessive amount of CPU, while processing the stanza. References: [1] http://www.ejabberd.im/ejabberd-2.1.9 Upstream bug report: [2] https://support.process-one.net/browse/EJAB-1498 Relevant upstream commits: [3] https://git.process-one.net/ejabberd/mainline/commit/d3c4eab46f3cd54f7686cfed740d9c130b6801cf (original fix to correct the EJAB-1498 issue), [4] https://git.process-one.net/ejabberd/mainline/commit/fa08db7091f5ba904f337e30ec7c9a46857eb36d (correction of broken PEP upon [3] commit)
This issue affects the versions of the ejabberd package, as shipped with Fedora EPEL 5 and Fedora EPEL 6 releases. Please schedule an update. -- This issue affects the versions of the ejabberd package, as shipped with Fedora release of 14, 15, and 16. Please schedule an update.
Created ejabberd tracking bugs for this issue Affects: epel-5 [bug 755556] Affects: epel-6 [bug 755557] Affects: fedora-all [bug 755558]
CVE assignment: [5] http://www.openwall.com/lists/oss-security/2011/11/19/2
Sorry for the hiatus, folks. I'm working on packaging 2.1.9 right now. The only issue I need to resolve is that ejabberd in Fedora is shipped with custom module for GSSAPI support - I'm working on rebasing it on top of 2.1.9 tag (I plan to finish it in a couple of hours). Also I plan to tightly integrate it with systemd, so expect update tomorrow morning (~ 08.00 UTC).
Ok, I added first two builds for F-15 and F-16 (no builds for F-14 - sorry for that). Will add EL-[56] builds later.
This was fixed long time ago. Can we just close this now?