Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 23 Aug 2012 01:20:54 +0400 (MSK)
From:      Eygene Ryabinkin <rea@FreeBSD.org>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        mm@FreeBSD.org
Subject:   ports/170894: [vuxml][patch] net-im/jabberd: fix CVE-2012-3525
Message-ID:  <20120822212054.0ED80DA81F@void.codelabs.ru>
Resent-Message-ID: <201208222130.q7MLU6d5070566@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         170894
>Category:       ports
>Synopsis:       [vuxml][patch] net-im/jabberd: fix CVE-2012-3525
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 22 21:30:06 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 10.0-CURRENT amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 10.0-CURRENT amd64

>Description:

XMPP Standards Foundation reported that some XMPP implementations,
including jabberd 2.x, are prone to the domain spoofing via the
server dialback protocol [1].  Jabberd developers already fixed
this in their Git repository [2].

I had added VuXML entry 4d1d2f6d-ec94-11e1-8bd8-0022156e8794 to the
FreeBSD VuXML index [3], please, use it in the commit log.

[1] http://xmpp.org/resources/security-notices/server-dialback/
[2] https://github.com/Jabberd2/jabberd2/commit/aabcffae560d5fd00cd1d2ffce5d760353cf0a4d
[3] http://svnweb.freebsd.org/ports?view=revision&revision=302966

>How-To-Repeat:

Look at [1] and [2].

>Fix:

Patch is available at
  http://codelabs.ru/fbsd/ports/jabberd/jabberd-cve-2012-3525.diff
It just adds vendor patch to the current port.

I had briefly tested it our CodeLabs Jabber server.  No problems
were yet found.
>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120822212054.0ED80DA81F>